`magic_quotes_gpc` is a PHP configuration setting enabling "magic quotes" (automatic escaping) for GET/POST/COOKIE variables.
When magic_quotes_gpc
is enabled in PHP's configuration, PHP uses a method identical to addslashes()
to automatically insert backslashes before certain problematic characters (\
, '
, "
, and \0
) in GET/POST/COOKIE values before they are passed to the script. The intent was to reduce the chance of their causing an error when interpolated directly into HTML or SQL, enabling PHP developers to write safer code without changing their habits.
Among their numerous drawbacks, though, is that if a script does properly escape data, assuming that magic quotes will be off, it will often break when this option is enabled; the resulting data will often have visible backslashes in it. In order to work both ways, a script needs to remove the added backslashes (using stripslashes()
) if, and only if, magic quotes are enabled. Most problems these days have to do either with double-escaping caused by magic quotes, or with disabling the option on servers/hosts that have this misfeature enabled and do not allow configuration changes.
Magic quotes have been deprecated as of PHP 5.3, and removed entirely as of 5.4. Even in versions that still support them, their use is not recommended. The suggested course of action is instead to escape the data as needed, using a method appropriate for the data's intended destination.
More reading: