Magic quotes

Owing to the fact that a lot of user input is destined for database entry, PHP has a special php.ini setting called magic_quotes_gpc, which means that PHP will automatically backslashes \ before all quotes and other backslashes for GET, POST, and COOKIE data (GPC) - the equivalent of running the addslashes() function.

This functionality used to be turned on by default, which meant that all GPC data coming into your script is safe for database entry, but also meant that if your data is not destined for a database, you need to disable magic quotes in your php.ini file.

The problem with magic quotes was that you could never be sure your scripts were portable - some server had it enabled, but the majority didn't, which led to all sorts of incompatibilities. As a result, magic quotes was deprecated in PHP 5.3 and will be removed in the next major release.


Next chapter: Data handling summary >>

Previous chapter: Working around register_globals

Jump to:


Home: Table of Contents

Follow us on or Twitter

Username:   Password:
Create Account | About TuxRadar