PHP Configuration File Setting: magic_quotes_gpc

system · August 17, 2011, 6:45pm

One of the ‘php.ini’ variable settings is ‘magic_quotes_gpc’. My production server is running PHP 5.2.17, and the value for this default setting is ‘on’.

I have two test servers, one is running PHP 5.3.5 and the other is running PHP 5.3.6. In both, the setting default value is ‘off’.

I encountered a problem on the production server that is being caused by the ‘magic_quotes_gpc=on;’ setting, and I wanted to change it. The PHP Manual for ‘magic_quotes_gpc’ starts off with a warning that this setting is being deprecated in PHP 5.3.0. Yet, as I said above, both of my test servers are running PHP 5.3 and both list it as a setting. Further, if I change its value on a test server, I clearly see that it had an effect.

My first question is: What is the true situation with this PHP setting. Should it be used or should it be avoided?

My second question is: If it is to be avoided, what are my options for effectively dealing with my issue on the production server that is caused by the setting of this variable?

Thank you.

phphelp · August 17, 2011, 7:46pm

This setting magic_quotes_gpc has not gone from php.ini, and you still can turn it On and Off. In the PHP manual by that warning they just meant that you should not rely to this setting (neither On nor Off) when you create your code. Instead you can use get_magic_quotes_gpc() to check if magic quotes are turned On or Off.

DavidAM · August 17, 2011, 9:37pm

magic_quotes has been deprecated and will likely disappear completely in a future release. The setting now defaults to “off”, where it used to default to “on”. If magic_quotes_gpc is “on” then values in $_GET, $_POST, $_COOKIE and $_FILES will be “magically quoted” when you access them (as if addslashes() had been called). And you will need to call stripslashes() on them to un-quote them. This can cause problems when moving code from one server to another.

The function get_magic_quotes_gpc() will return true or false indicating if the setting is ON or OFF. You can use this function to un-quote the values in your script.

[php]
if (get_magic_quotes_gpc()) {
$user = stripslashes($_GET[‘user’]);
} else {
$user = $_GET[‘user’];
}
[/php]

Note: in my testing I have discovered that the magic_quotes_gpc setting affects the KEYS of these arrays as well as the values.

Len_Jacobson · August 17, 2011, 10:08pm

Thank you, both, very much for these two quick responses!!