English
English
In the history of PHP, Magic Quotes was a feature enabled by default that automatically applied addslashes() to data coming from GET, POST, and COOKIE inputs to prevent SQL injection and other security issues. However, due to the confusion it caused outweighing its benefits, Magic Quotes were completely removed starting from PHP 5.4.0.
Nonetheless, when maintaining some legacy systems, we may still encounter PHP versions 5.3 and earlier, where it is crucial to check whether Magic Quotes are enabled. This article will explain how to use the get_magic_quotes_gpc() function for this purpose and provide best practice recommendations.
The get_magic_quotes_gpc() function is a built-in PHP function used to determine if magic_quotes_gpc is enabled. It returns a boolean value:
Returns true if Magic Quotes are enabled;
Returns false if Magic Quotes are disabled.
if (get_magic_quotes_gpc()) {
echo "Magic Quotes are enabled";
} else {
echo "Magic Quotes are disabled";
}
If you receive an error such as "undefined function" when running this function, it indicates your PHP version is higher than 5.4, where Magic Quotes have been removed.
Although Magic Quotes were created with good intentions, they can cause data to be escaped multiple times. Developers need to dynamically decide whether to manually apply stripslashes() depending on the environment. For example:
$user_input = $_POST['username'];
<p>if (get_magic_quotes_gpc()) {<br>
$user_input = stripslashes($user_input);<br>
}<br>
This code ensures that the $user_input data is not redundantly escaped due to Magic Quotes, allowing for consistent handling afterwards.
The recommended approach is to process all GPC (GET, POST, COOKIE) data at the entry point rather than checking each time the data is used:
function strip_magic_quotes(&$array) {
foreach ($array as $key => $value) {
if (is_array($value)) {
strip_magic_quotes($array[$key]);
} else {
$array[$key] = stripslashes($value);
}
}
}
<p>if (function_exists('get_magic_quotes_gpc') && get_magic_quotes_gpc()) {<br>
strip_magic_quotes($_GET);<br>
strip_magic_quotes($_POST);<br>
strip_magic_quotes($_COOKIE);<br>
}<br>
This method ensures that all user input in the application is “cleaned” from the start, simplifying subsequent logic.
While the above method can provide compatibility, the best solution is to upgrade the PHP version. Modern PHP frameworks (such as Laravel, Symfony, etc.) no longer support or rely on Magic Quotes, and have better data filtering and security mechanisms, such as:
Using input filtering functions like filter_input();
Using PDO with parameter binding to prevent SQL injection;
Using htmlspecialchars() for HTML output.
When debugging legacy PHP systems, you can use a simple script to quickly check if Magic Quotes are enabled in the current environment:
echo '<pre>';
echo 'magic_quotes_gpc: ' . (get_magic_quotes_gpc() ? 'ON' : 'OFF') . PHP_EOL;
echo 'Sample $_GET: ' . print_r($_GET, true);
echo 'After deploying this script, visit a URL such as:
http://gitbox.net/debug.php?name=O\'Reilly
If you see output like:
name => O\\'Reilly
It means Magic Quotes are active (automatically added backslashes), and you need to use stripslashes() accordingly.
