WHM PHP Editor - Glitch Still Present - DEFAULT Not Recognized


May 30, 2012
cPanel Access Level
Root Administrator

I am aware that I don't have a "high" post count here. I created this account a while back, and don't use it that much. Normally, once I get a server setup to my needs it runs like a dream for a long time :D

I did recently move to another server, and like anyone with security as a top priority, they go in and start changing things out of the box.

The following post illustrates a bug or glitch in WHM's Advanced PHP Configuration Editor that still, a few versions later, is still not fixed. http://forums.cpanel.net/f5/magic-quotes-off-php-ini-but-shows-258262.html

I am on version: WHM 11.34.0 (build 9)

I went through the advanced editor looking for specific things only. For instance, changed expose php to off, turned remote include and fopen off, ect. In addition, I looked over the magic quotes settings and they were marked out and set to DEFAULT OFF. So I didn't touch them, as I shouldn't have to. After my changes, checked out phpinfo() and noticed they were on. Stumped I searched Google (because it knows everything) and found the link I posted above.

I wanted to bring it to your attention, as well as other cPanel/WHM users, that this glitch is still present. Some people want magic quotes on, others hate it and want it off. To each his own. However, I urge everyone to figure out which side of the line they are on... On or Off.. and double check their server to ensure it is set to the value they really want it to be.

For those that don't know, in short it is supposed to protect you but can cause issues with different "pre-made" systems such as Joomla, Wordress, ect. It escapes quotes found in GET requests with a \ to try and prevent a hacker from doing whatever they are trying to do. While it can protect you, it can also cause tons of headaches.

For me, since I write my own systems, I sanitize all user input and make security my #1 priority. I don't need magic quotes getting in my way. If a hacker wants in my sites, they will have to be really good. 9 times out of 10, attacks are made by amateurs with low end knowledge about what they are doing.

I noticed this glitch because my sanitizing function was not working after getting onto the new server. It appears that htmlentities() breaks with magic quotes on? I haven't done further testing, but at first glance it was causing issues.

Just a heads up to you guys. A 30 seconds check could save you hours later on, when you have long forgotten that you even read this post. ;)