Monthly Archives: March 2014

PHP Magic Quotes – A Thing Of The Past

I’ve got a few DirectAdmin servers running, anytime someone inserts data into the database I either escape the incoming data or use parametrized sql (better way).

If you find you insert something like Mr’Toad and you end up with Mr\’Toad on your screen you probably have one or more of PHP magic quotes enabled. Check your php.ini file and if you have one or more enabled turn them off.

A lot of systems will no longer run if they are enabled and as of PHP 5.3 they are DEPRECATED. If you happen to be using PHP 5.4 you will find they are totally REMOVED so don’t rely on them!

You will want to ensure you have lines in your php.ini showing they are off:

; Magic quotes are a preprocessing feature of PHP where PHP will attempt to
; escape any character sequences in GET, POST, COOKIE and ENV data which might
; otherwise corrupt data being placed in resources such as databases before
; making that data available to you. Because of character encoding issues and
; non-standard SQL implementations across many databases, it’s not currently
; possible for this feature to be 100% accurate. PHP’s default behavior is to
; enable the feature. We strongly recommend you use the escaping mechanisms
; designed specifically for the database your using instead of relying on this
; feature. Also note, this feature has been deprecated as of PHP 5.3.0 and is
; scheduled removed in PHP 5.4.
; Default Value: On
; Development Value: Off
; Production Value: Off
; http://php.net/magic-quotes-gpc
magic_quotes_gpc = Off

; Magic quotes for runtime-generated data, e.g. data from SQL, from exec(), etc.
; http://php.net/magic-quotes-runtime
magic_quotes_runtime = Off

; Use Sybase-style magic quotes (escape ‘ with ” instead of \’).
; http://php.net/magic-quotes-sybase
magic_quotes_sybase = Off

If you have any doubts about your system settings, check phpinfo();