What are Magic Quotes in PHP?

[Rob Dizzle]

Hi friends,
I have done some basic programs in PHP programming language. I was just going through the tutorials where I got the statement of Magic Quotes. Nothing was explained about it. So i thought that asking you guys would be better.!! So please tell me what are Magic Quotes in PHP.?? Any other information related to the topic would be grateful.!!

[Allan.d]

Magic quotes is a controversial feature of the PHP scripting language. Magic Quotes is a process that automagically escapes incoming data to the PHP script. It's preferred to code with magic quotes off and to instead escape the data at runtime, as needed. Magic Quotes is the process of escaping special characters with a '\' to allow a string to be entered into a database. When on, all ' (single-quote), " (double quote), \ (backslash) and NULL characters are escaped with a backslash automatically. This is identical to what addslashes() does.

[Reegan]

There are three magic quote directives which are described as follows :

1. magic_quotes_gpc - This directive you can use for settting the magic_quotes state for GPC (Get/Post/Cookie) operations. If the magic_quotes_sybase directive is also ON it will completely override magic_quotes_gpc.
2. magic_quotes_runtime - If you have enabled this option then, most functions that return data from an external source, including databases and text files, will have quotes escaped with a backslash.
3. magic_quotes_sybase - If this is enabled, a single-quote is escaped with a single-quote instead of a backslash. If on, it completely overrides magic_quotes_gpc.

[Zecho]

There is no strong reason for using the Magic Quotes, since they are not supported in new versions of PHP. However, they did exist and did help a few beginners blissfully and unknowingly write better (more secure) code. But, when dealing with code that relies upon this behavior it's better to update the code instead of turning magic quotes on. When you come across scripts that rely on this type of behavior, it is recommended to modify the code and disable magic quotes. Why this feature has appeared? Simply to protect SQL injections. Today, developers are more aware of security issues, and appropriate mechanisms for protection of their databases, or prepared statements instead of passing by magic quotes.

[Viensterrr]

There are some drawbacks of Magic Quotes, so you can ignore them. The following are some drawbacks of it :

1. Portability - This directive can be enabled or disabled depending on the servers and this affects portability. Use get_magic_quotes_gpc () to check if they are active or not and adjust your application.
2. Performance - Because not all data that is eventually placed in a database, there is a performance loss for escaping all this data. The simple appeal of protection functions as needed is more effective (addslashes ()). Even if php.ini-active development of these options by default, php.ini-recommended disables it. This recommendation is made primarily for reasons of speed.
3. Impractical - As all data do not necessarily need protection, it is often annoying to see escaped data where it is useless.

[MELTRONICS]

The directive magic_quotes_gpc can not be disabled at the system level, not at runtime. In other words, use ini_set () is not possible. Here's an example that gives off the value of these directives in the php.ini. The following is an example of disabling magic quotes server side :

Code:

; Magic quotes
;

; Magic quotes for incoming GET/POST/Cookie data.
magic_quotes_gpc = Off

; Magic quotes for runtime-generated data, e.g. data from SQL, from exec(), etc.
magic_quotes_runtime = Off

; Use Sybase-style magic quotes (escape ' with '' instead of \').
magic_quotes_sybase = Off