English
English
In early versions of PHP, get_magic_quotes_gpc() was a function used to detect whether “magic quotes” were enabled. Magic quotes automatically escaped quotes in user input data such as $_GET, $_POST, and $_COOKIE to prevent SQL injection attacks. However, as PHP evolved, this feature was deemed insecure and confusing, and was completely removed in PHP 5.4.
Nonetheless, many legacy projects and codebases still use get_magic_quotes_gpc() and often run into common mistakes, especially when ignoring the case where magic quotes are disabled. This can cause data handling errors or even security risks. This article will cover these common mistakes and how to avoid them.
Magic quotes automatically add backslashes before single quotes ('), double quotes ("), backslashes (\), and NULL characters in input data. For example, the input O'Reilly would automatically become O\'Reilly.
Although it seems to help prevent SQL injection, it actually introduces several issues:
Data may be escaped multiple times, causing malformed strings.
Code logic becomes confusing, making it hard to determine if data has already been escaped.
Developers often overlook cases where magic quotes are disabled.
if (get_magic_quotes_gpc()) {
$input = stripslashes($_GET['input']);
} else {
$input = $_GET['input'];
}
This code assumes magic quotes are either fully enabled or disabled, only handling those two extremes. But if magic quotes are disabled, some inputs won’t be escaped, and calling stripslashes can actually corrupt the data.
get_magic_quotes_gpc() was deprecated in PHP 5.4 and removed afterward. Calling it directly in newer PHP versions will cause errors:
if (get_magic_quotes_gpc()) { // Error in PHP 7+
// ...
}
Many developers only handle $_GET or $_POST data, neglecting other superglobals like $_COOKIE that may also contain escaped characters.
if (function_exists('get_magic_quotes_gpc') && get_magic_quotes_gpc()) {
$input = stripslashes($_GET['input']);
} else {
$input = $_GET['input'];
}
This prevents errors when calling the function on newer PHP versions.
function clean_magic_quotes() {
if (function_exists('get_magic_quotes_gpc') && get_magic_quotes_gpc()) {
$_GET = array_map('stripslashes', $_GET);
$_POST = array_map('stripslashes', $_POST);
$_COOKIE = array_map('stripslashes', $_COOKIE);
}
}
<p>clean_magic_quotes();<br>
This code ensures that regardless of the input source, automatically added escape characters are consistently removed to avoid data inconsistency.
Since magic quotes have been deprecated, it’s recommended to completely disable this feature and avoid relying on it for SQL injection prevention. Instead, use the following methods:
Use prepared statements and parameter binding (e.g., PDO or mysqli extensions).
Perform strict validation and filtering of user input.
Use functions like htmlspecialchars() to prevent XSS attacks.
Example code:
$pdo = new PDO('mysql:host=gitbox.net;dbname=testdb', 'username', 'password');
$stmt = $pdo->prepare("SELECT * FROM users WHERE username = :username");
$stmt->execute(['username' => $_GET['username']]);
$results = $stmt->fetchAll();
Do not rely on magic quotes as they are outdated and insecure.
If maintaining legacy code, check if get_magic_quotes_gpc() exists before calling it.
Clean all input data uniformly to avoid errors caused by partial handling.
It’s best to update your code to fully abandon magic quotes, adopting safer database access and data filtering methods.
By following these approaches, you can effectively prevent problems caused by ignoring the disabled magic quotes scenario and ensure your code remains stable and secure.
