Magic quotes

Owing to the fact that a lot of user input is destined for database entry, PHP used to have a special php.ini setting called magic_quotes_gpc, which meant that PHP would automatically backslashes \ before all quotes and other backslashes for GET, POST, and COOKIE data (GPC) - the equivalent of running the addslashes() function.

This functionality used to be turned on by default, which meant that all GPC data coming into your script is safe for database entry, but also meant that if your data is not destined for a database, you needed to disable magic quotes in your php.ini file.

One of the problems with magic quotes was that you could never be sure your scripts were portable - some server had it enabled, but the majority didn't, which led to all sorts of incompatibilities. As a result, magic quotes was deprecated in PHP 5.3 and is now removed entirely. Trust me: that's a good thing!


Want to learn PHP 7?

Hacking with PHP has been fully updated for PHP 7, and is now available as a downloadable PDF. Get over 1200 pages of hands-on PHP learning today!

If this was helpful, please take a moment to tell others about Hacking with PHP by tweeting about it!

Next chapter: Data handling summary >>

Previous chapter: Working around register_globals

Jump to:


Home: Table of Contents

Copyright ©2015 Paul Hudson. Follow me: @twostraws.