What are Magic Quotes?
What are Magic Quotes?
The motivation behind this function was to help protect or avoid the newbies and beginners from writing bad form processing php code.
Currently, Magic Quotes has been deprecated as of PHP 5.3.0 and removed as of PHP 5.4.0
The magic done by Magic Quotes is that it implicitly escapes important form data that might be used for SQL Injection with a backslash '\'
The special characters escaped by PHP as per the following table
Magic Quotes automatically performs an addslashes () function on all form data submitted.
Magic Quotes helped newbies to write the code faster without putting more attention on the form processing to make it secure(knowingly or unknowingly). Today even newbies knows the importance of the security of the data and they ensure that they use database specific escaping techniques and/or prepared statements instead of relying upon features of magical quotes.
Sometimes the data of the form is passed to email or echo the data on another page rather than only sending it MySQL.
How to disable Magic Quotes Server Side
1. If you have access to php.ini file
Magic quotes for incoming GET/POST/Cookie data.
magic_quotes_gpc = Off
Magic quotes for runtime-generated data, e.g. data from SQL, from exec(), etc.
magic_quotes_runtime = Off
Use Sybase-style magic quotes (escape ' with '' instead of \').
magic_quotes_sybase = Off
2. If you do not have access to php.ini, you may add the following code to the .htaccess file.
php_flag magic_quotes_gpc Off
Regards,
Hayden Gill
eUKhost Ltd.
The motivation behind this function was to help protect or avoid the newbies and beginners from writing bad form processing php code.
Currently, Magic Quotes has been deprecated as of PHP 5.3.0 and removed as of PHP 5.4.0
The magic done by Magic Quotes is that it implicitly escapes important form data that might be used for SQL Injection with a backslash '\'
The special characters escaped by PHP as per the following table
| Description | Symbol |
| Quote | ' |
| Doube Quote | " |
| Backslash | \ |
| NULL |
Magic Quotes helped newbies to write the code faster without putting more attention on the form processing to make it secure(knowingly or unknowingly). Today even newbies knows the importance of the security of the data and they ensure that they use database specific escaping techniques and/or prepared statements instead of relying upon features of magical quotes.
Sometimes the data of the form is passed to email or echo the data on another page rather than only sending it MySQL.
How to disable Magic Quotes Server Side
1. If you have access to php.ini file
Magic quotes for incoming GET/POST/Cookie data.
magic_quotes_gpc = Off
Magic quotes for runtime-generated data, e.g. data from SQL, from exec(), etc.
magic_quotes_runtime = Off
Use Sybase-style magic quotes (escape ' with '' instead of \').
magic_quotes_sybase = Off
2. If you do not have access to php.ini, you may add the following code to the .htaccess file.
php_flag magic_quotes_gpc Off
Regards,
Hayden Gill
eUKhost Ltd.