PHP
downloads | documentation | faq | getting help | mailing lists | reporting bugs | php.net sites | links | conferences | my php.net

search for in the

Disabling Magic Quotes> <Why use Magic Quotes
Last updated: Sat, 24 Mar 2007

view this page in

Why not to use Magic Quotes

  • Portability

    Assuming it to be on, or off, affects portability. Use get_magic_quotes_gpc() to check for this, and code accordingly.

  • Performance

    Because not every piece of escaped data is inserted into a database, there is a performance loss for escaping all this data. Simply calling on the escaping functions (like addslashes()) at runtime is more efficient.

    Although php.ini-dist enables these directives by default, php.ini-recommended disables it. This recommendation is mainly due to performance reasons.

  • Inconvenience

    Because not all data needs escaping, it's often annoying to see escaped data where it shouldn't be. For example, emailing from a form, and seeing a bunch of \' within the email. To fix, this may require excessive use of stripslashes().



Disabling Magic Quotes> <Why use Magic Quotes
Last updated: Sat, 24 Mar 2007
 
add a note add a note User Contributed Notes
Why not to use Magic Quotes
estoesunapija at hotmail dot com
15-Sep-2008 07:26
<?php

//One could use array_walk, altough i think it was fun
//and simple doing it this way.

 class oop {

      //toObject        : Transforms an array into an object filtering it
      //$source         : Array to transform
      //$currentLevel : See $maxLevels
      //$maxLevels   : Protect the system in case of lots of recursion
      //                     i.e. <input type="text" name="test[][]....[N]"

      public static function toObject($source=array(),$array=array(),$maxLevels=3,$currentLevel=0) {

         if ( !sizeof($source) || ($currentLevel > $maxLevels) ) return FALSE;

         $array   =  (sizeof($array)) ? $array : $source;
         $obj     =  new stdClass();

         foreach ($array as $k => $v){

            if (is_array($v)) {

               $obj->$k self::toObject($source,$v,$maxLevels,++$currentLevel);

               continue;

            }

            //Assign to the object $obj, the key and the value of the actual value of $source

            $obj->$k=$v;

         }

         return $obj;

      }

   }

   /* Eexamples

      $post    =  oop::toObject($_POST)   ;
      $get     =  oop::toObject($_GET)    ;
      $session =  oop::toObject($_SESSION);

      var_dump ($post)   ;
      var_dump ($get)    ;
      var_dump ($session);

   */

?>
sir dot steve dot h+php at gmail dot com
07-Dec-2007 05:45
I find it useful to define a simple utility function for magic quotes so the application functions as expected regardless of whether magic_quotes_gpc is on:

function strip_magic_slashes($str)
{
    return get_magic_quotes_gpc() ? stripslashes($str) : $str;
}

Which can be annoying to add the first time you reference every $_GET /$_POST/$_COOKIE variable, but it prevents you from demanding your users to change their configurations.
rjh at netcraft dot com
13-Jun-2007 11:50
Additionally, addslashes() is not a cure-all against SQL injection attacks. You should use your database's dedicated escape function (such as mysql_escape_string) or better yet, use parameterised queries through mysqli->prepare().
gerard at modusoperandi dot com dot au
14-May-2007 06:53
Apparently it will be removed in PHP 6:

http://www.php.net/~derick/meeting-notes.html#magic-quotes
11-Feb-2006 10:47
It is also important to disable Magic Quotes while in development enivronment. For the reasons mentioned above, not everybody is using Magic Quotes.

An application that works fine with Magic Quotes enabled may have security problems (ie can be subject to SQL attacks) when distributed.
add a note add a note

Disabling Magic Quotes> <Why use Magic Quotes
Last updated: Sat, 24 Mar 2007
 
 
show source | credits | sitemap | contact | advertising | mirror sites