English
English
In PHP, get_magic_quotes_gpc is a function used to check whether the magic_quotes_gpc directive is enabled. magic_quotes_gpc is an outdated PHP setting that was originally designed to automatically escape data from $_GET, $_POST, and $_COOKIE inputs to prevent SQL injection attacks. However, when working with multibyte character encodings such as UTF-8, get_magic_quotes_gpc may cause unexpected issues, particularly with non-English character sets.
get_magic_quotes_gpc checks the PHP magic_quotes_gpc setting and returns true or false. If magic_quotes_gpc is set to on, PHP automatically escapes data from $_GET, $_POST, and $_COOKIE. This means that all single quotes ('), double quotes ("), and backslashes (\) are automatically prefixed with a backslash (\\).
magic_quotes_gpc often causes unintended results when handling multibyte character encodings such as UTF-8. UTF-8 uses multiple bytes to represent a single character, but magic_quotes_gpc is primarily designed for single-byte character sets. This can incorrectly add backslashes to multibyte characters, corrupting the original encoding.
Suppose a form input contains a Chinese character like "你好". If magic_quotes_gpc is enabled, it might insert a backslash in the middle of the byte sequence, turning the string into "你\好" or "你\\好". This prevents the backend from correctly decoding the original characters and can even result in garbled text.
magic_quotes_gpc was originally designed to prevent SQL injection, but as PHP evolved, this directive became discouraged due to several issues:
It cannot properly handle multibyte character encodings.
It adds extra escape characters, forcing developers to perform additional unescaping when processing input data.
Modern database queries can effectively prevent SQL injection using prepared statements, making magic_quotes_gpc unnecessary.
As a result, magic_quotes_gpc was completely deprecated in PHP 5.4.0 and removed entirely in PHP 7.0.0.
First, make sure magic_quotes_gpc is disabled. You can disable it by checking the PHP configuration file (php.ini):
<span><span><span class="hljs-attr">magic_quotes_gpc</span></span><span> = </span><span><span class="hljs-literal">Off</span></span><span>
</span></span>Additionally, in PHP code, you can use get_magic_quotes_gpc() to check if the setting is enabled. If it is, you can manually remove the escape characters:
<span><span><span class="hljs-keyword">if</span></span><span> (</span><span><span class="hljs-title function_ invoke__">get_magic_quotes_gpc</span></span><span>()) {
</span><span><span class="hljs-variable">$_GET</span></span><span> = </span><span><span class="hljs-title function_ invoke__">array_map</span></span><span>(</span><span><span class="hljs-string">'stripslashes'</span></span><span>, </span><span><span class="hljs-variable">$_GET</span></span><span>);
</span><span><span class="hljs-variable">$_POST</span></span><span> = </span><span><span class="hljs-title function_ invoke__">array_map</span></span><span>(</span><span><span class="hljs-string">'stripslashes'</span></span><span>, </span><span><span class="hljs-variable">$_POST</span></span><span>);
</span><span><span class="hljs-variable">$_COOKIE</span></span><span> = </span><span><span class="hljs-title function_ invoke__">array_map</span></span><span>(</span><span><span class="hljs-string">'stripslashes'</span></span><span>, </span><span><span class="hljs-variable">$_COOKIE</span></span><span>);
}
</span></span>When handling form input, ensure the client and server use the same character encoding, preferably UTF-8. This can be set in the HTML document:
<span><span><span class="hljs-tag"><<span class="hljs-name">meta</span></span></span><span> </span><span><span class="hljs-attr">charset</span></span><span>=</span><span><span class="hljs-string">"UTF-8"</span></span><span>>
</span></span>In PHP, use the mb_convert_encoding function to ensure consistent encoding:
<span><span><span class="hljs-variable">$input</span></span><span> = </span><span><span class="hljs-title function_ invoke__">mb_convert_encoding</span></span><span>(</span><span><span class="hljs-variable">$input</span></span><span>, </span><span><span class="hljs-string">'UTF-8'</span></span><span>, </span><span><span class="hljs-string">'auto'</span></span><span>);
</span></span>To prevent SQL injection attacks, always use prepared SQL statements instead of relying on magic_quotes_gpc for automatic escaping. This approach not only resolves encoding issues but also provides strong protection against SQL injection.
Use PDO or MySQLi to implement prepared statements:
<span><span><span class="hljs-comment">// Using PDO</span></span><span>
</span><span><span class="hljs-variable">$stmt</span></span><span> = </span><span><span class="hljs-variable">$pdo</span></span><span>-></span><span><span class="hljs-title function_ invoke__">prepare</span></span><span>(</span><span><span class="hljs-string">"SELECT * FROM users WHERE username = :username"</span></span><span>);
</span><span><span class="hljs-variable">$stmt</span></span><span>-></span><span><span class="hljs-title function_ invoke__">bindParam</span></span><span>(</span><span><span class="hljs-string">':username'</span></span><span>, </span><span><span class="hljs-variable">$username</span></span><span>, PDO::</span><span><span class="hljs-variable constant_">PARAM_STR</span></span><span>);
</span><span><span class="hljs-variable">$stmt</span></span><span>-></span><span><span class="hljs-title function_ invoke__">execute</span></span><span>();
<p></span>// Using MySQLi<br>
$stmt = $mysqli->prepare("SELECT * FROM users WHERE username = ?");<br>
$stmt->bind_param("s", $username);<br>
$stmt->execute();<br>
</span>get_magic_quotes_gpc and magic_quotes_gpc are no longer recommended in modern PHP development. When handling multibyte character encodings, special attention should be paid to escaping and encoding consistency to ensure data integrity and security. The best practice is to disable magic_quotes_gpc, use modern input validation methods such as prepared SQL statements, and maintain a consistent character encoding like UTF-8 to avoid garbled characters and unnecessary escaping issues.
