Magic Quotes Deprecated in PHP

Posted in Articles

Tweet This Share on Facebook Bookmark on Delicious Digg this Submit to Reddit

Magic quotes is enabled in the php.ini by …

magic_quotes_gpc = On

and is disabled by …

magic_quotes_gpc = Off

To see whether magic quotes is on or off on your server, you can use phpinfo(). To determine if magic quotes is on or off in code during runtime, use get_magic_quotes_gpc().

On PHP.net, it says …

“This feature has been DEPRECATED as of PHP 5.3.0. Relying on this feature is highly discouraged.”

Story Behind Magic Quotes

Magic Quotes is on by default and had been useful to beginner PHP programmers to prevent security holes like SQL injection in their code. This is because when Magic Quote is on, it automatically performed the “addslashes” function on any values passed via “get”, “post”, or “cookies” (“gpc” for short). Whenever you pass user-submitted data into the database, you should always use addslashes to prevent SQL injection attacks.

However, addslashes is not needed in every piece of data. So it will have a performance hit when magic quotes is turned on. And sometimes addslashes, add slashes when you don’t want it causing you to have to undo the slashes with “stripslashes()”.

PHP.net encourages developer to use have magic quotes turned off and use addslashes when necessary.