Magic Quotes is a process that auto magically escapes incoming data to the PHP script. It’s preferred to code with magic quotes off and to instead escape the data at runtime, as needed.
Magic quotes is a controversial feature of the PHP scripting language, which was introduced to help newcomers write functioning SQL commands without requiring manual escaping. It was later described and widely misinterpreted as help to prevent inexperienced developers from writing code which is vulnerable to SQL injection attacks. This feature is officially deprecated as of PHP 5.3.0, and removed in PHP 5.4 due to security concerns.
First things first, you need to check to see if you have magic quotes enabled on you server. The get_magic_quotes_gpc function will return a 0 (off) or a 1 (on). These boolean values will fit nicely into an if statement where 1 is true and 0 is false.
<?php if(get_magic_quotes_gpc()) echo "Magic quotes are enabled"; else echo "Magic quotes are disabled"; ?>
The magic_quotes_gpc directive may only be disabled at the system level, and not at runtime. In otherwords, use of ini_set() is not an option.
Example #1 Disabling magic quotes server side
An example that sets the value of these directives to Off in php.ini.
; Magic quotes ; ; Magic quotes for incoming GET/POST/Cookie data. magic_quotes_gpc = Off ; Magic quotes for runtime-generated data, e.g. data from SQL, from exec(), etc. magic_quotes_runtime = Off ; Use Sybase-style magic quotes (escape ' with '' instead of '). magic_quotes_sybase = Off
If access to the server configuration is unavailable, use of .htaccess is also an option. For example:
php_flag magic_quotes_gpc Off
In the interest of writing portable code, like if setting at the server level is not possible, here’s an example to disable magic_quotes_gpc at runtime. This method is inefficient so it’s preferred to instead set the appropriate directives elsewhere.
Example #2 Disabling magic quotes at runtime
<?php
if (get_magic_quotes_gpc()) {
$process = array(&$_GET, &$_POST, &$_COOKIE, &$_REQUEST);
while (list($key, $val) = each($process)) {
foreach ($val as $k =--> $v) {
unset($process[$key][$k]);
if (is_array($v)) {
$process[$key][stripslashes($k)] = $v;
$process[] = &$process[$key][stripslashes($k)];
} else {
$process[$key][stripslashes($k)] = stripslashes($v);
}
}
}
unset($process);
}
?>
NOTES : You should include the above code in index.php file or in the file where you want.
Similarly, Enabling magic quotes at runtime
<?php
if (!get_magic_quotes_gpc()) {
$process = array(&$_GET, &$_POST, &$_COOKIE, &$_REQUEST);
while (list($key, $val) = each($process)) {
foreach ($val as $k =--> $v) {
unset($process[$key][$k]);
if (is_array($v)) {
$process[$key][addslashes($k)] = $v;
$process[] = &$process[$key][addslashes($k)];
} else {
$process[$key][addslashes($k)] = addslashes($v);
}
}
}
unset($process);
}
?>
Enjoy!!!
