Magic quotes are a common question for PHPer. I accidentally saw an article today, combined with the PHP Manual and its replies, I will make a simple summary here.
In short, Magic quotes will automatically escape the entered data when turned on. Among them, all single quotes ('), double quotes ("), backslashes, and NULL characters will be escaped (a backslash is added). In fact, this operation essentially calls the addslashes function.
Why use Magic quotes
Convenient and fast
The designers of PHP envisioned fast and convenient programming from the beginning. For example, when inserting into a database, Magic quotes will automatically escape the data, which is very convenient.
Good for beginners
Magic quotes can, to a certain extent, help beginners avoid the security risks of scripts. For example, in code without any protection measures, turning on Magic quotes will reduce many risks, such as injection problems. Of course, using this method alone cannot completely prevent such security issues.
"I don't have permission to close it"
Obviously you may be aware of this problem, but the host space is not completely under your control.
Why not use Magic quotes
Portability Whether this feature is turned on or not, it will affect the portability of the script because it affects our subsequent operations of filtering the data.
Performance Issues All external data will be escaped before being retrieved, which will undoubtedly increase runtime costs (and not all data needs to be escaped).
Causing Confusion As mentioned above, not all data needs to be escaped. One situation that may arise is when you use the stripslashes function "crazy" in order to obtain unescaped data.
PHP6 is no longer supported
The designers of PHP have apparently realized their "mistake", so they have deprecated it in PHP6.
How to disable Magic quotes
According to my opinion, it is most reliable to use the php.ini configuration file to globally disable Magic quotes. Refer to the code below
; Magic quotes;; Magic quotes for incoming GET/POST/Cookie data.magic_quotes_gpc = Off; Magic quotes for runtime-generated data, eg data from SQL, from exec(), etc.magic_quotes_runtime = Off; Use Sybase -style magic quotes (escape ' with '' instead of ').magic_quotes_sybase = Off However, the online host may not allow you to modify the php.ini file, so you can use the .htaccess file to disable it and add the following code
php_flag magic_quotes_gpc Off The above can For ported code, the data must remain consistent regardless of whether magic_quotes is disabled. Then the following code can help you
<?phpif (get_magic_quotes_gpc()) {function stripslashes_deep($value) {$value = is_array($value) ?array_map('stripslashes_deep', $value) :stripslashes($value);return $ value;}$_GET = array_map('stripslashes_deep', $_GET);$_POST = array_map('stripslashes_deep', $_POST);$_COOKIE = array_map('stripslashes_deep', $_COOKIE);$_REQUEST = array_map('stripslashes_deep' , $_REQUEST);}