English
English
In early versions of PHP, the get_magic_quotes_gpc() function was used to check whether the magic_quotes_gpc directive was enabled. When set to On, PHP would automatically escape data submitted via GET, POST, and COOKIE by adding backslashes before special characters such as single quotes ', double quotes ", and backslashes \. This was intended as a measure to prevent SQL injection, but in many cases, it caused inconvenience and even led to double escaping issues with the data.
When magic_quotes_gpc is enabled, user-submitted data is automatically escaped. If developers then apply functions like addslashes() again on this data, it results in double escaping. For example, if the original input string is:
I'm a user.After the first automatic escaping by magic_quotes_gpc, it becomes:
I\'m a user.If addslashes() is applied again at this point:
I\\'m a user.The content stored in the database no longer matches the user's original input, which can lead to data inconsistency.
To avoid double escaping, developers should first check if magic_quotes_gpc is enabled. If it is, the data should be stripped of slashes before deciding whether manual escaping is necessary.
This can be done by recursively processing user input arrays to ensure that all backslashes are properly removed.
Here is a sample code:
function cleanInput($data) {
if (is_array($data)) {
return array_map('cleanInput', $data);
} else {
return stripslashes($data);
}
}
if (get_magic_quotes_gpc()) {
$_GET = cleanInput($_GET);
$_POST = cleanInput($_POST);
$_COOKIE = cleanInput($_COOKIE);
}
In this example, we define a cleanInput() function that recursively processes each value in an array, calling stripslashes() to remove unnecessary escape characters. If get_magic_quotes_gpc() returns true, it cleans the three superglobals: $_GET, $_POST, and $_COOKIE.
It is important to note that magic_quotes_gpc was deprecated in PHP 5.4.0 and completely removed in PHP 7.0.0. Therefore, this problem no longer exists in modern PHP development. However, when maintaining legacy projects or working with older systems, it is still useful to know how to handle it.
If you are still using an older PHP version and cannot upgrade, it is advisable to apply a unified cleaning logic at the initialization stage of your project, cleaning all inputs before further processing.
Additionally, using modern database access methods such as PDO with parameter binding not only prevents SQL injection but also avoids the hassle of manual string escaping. For example:
$pdo = new PDO('mysql:host=localhost;dbname=test', 'user', 'password');
$stmt = $pdo->prepare('SELECT * FROM users WHERE email = :email');
$stmt->execute(['email' => '[email protected]']);
As shown above, parameter binding prevents direct SQL concatenation, fundamentally solving escaping and injection problems.
magic_quotes_gpc's automatic escaping mechanism was a “seemingly safe” design but often caused more trouble in actual development. Understanding how it works and adopting appropriate handling methods can effectively prevent double escaping issues. Meanwhile, it is recommended to adopt modern PHP programming paradigms and database interfaces, gradually phasing out reliance on such outdated features to improve code maintainability and security.
