What are Magic Quotes?

  • Filter
  • Time
  • Show
Clear All
new posts

    What are Magic Quotes?

    What are Magic Quotes?

    The motivation behind this function was to help protect or avoid the newbies and beginners from writing bad form processing php code.
    Currently, Magic Quotes has been deprecated as of PHP 5.3.0 and removed as of PHP 5.4.0

    The magic done by Magic Quotes is that it implicitly escapes important form data that might be used for SQL Injection with a backslash '\'

    The special characters escaped by PHP as per the following table
    Description Symbol
    Quote '
    Doube Quote "
    Backslash \
    Magic Quotes automatically performs an addslashes () function on all form data submitted.

    Magic Quotes helped newbies to write the code faster without putting more attention on the form processing to make it secure(knowingly or unknowingly). Today even newbies knows the importance of the security of the data and they ensure that they use database specific escaping techniques and/or prepared statements instead of relying upon features of magical quotes.
    Sometimes the data of the form is passed to email or echo the data on another page rather than only sending it MySQL.

    How to disable Magic Quotes Server Side
    1. If you have access to php.ini file
    Magic quotes for incoming GET/POST/Cookie data.
    magic_quotes_gpc = Off

    Magic quotes for runtime-generated data, e.g. data from SQL, from exec(), etc.
    magic_quotes_runtime = Off

    Use Sybase-style magic quotes (escape ' with '' instead of \').
    magic_quotes_sybase = Off

    2. If you do not have access to php.ini, you may add the following code to the .htaccess file.
    php_flag magic_quotes_gpc Off

    Hayden Gill
    eUKhost Ltd.
    Last edited by Rsync; 07-12-2022, 12:39.

    | || | | |