This tutorial is a quicky to go over what magic_quotes_gpc is, why it is used and how to turn it on/off.
What are Magic Quotes?
Magic Quotes, generally speaking, is the process of escaping special characters with a '\' to allow a string to be entered into a database. This is considered 'magic' because PHP can do this automatically for you if you have magic_quotes_gpc turned on.
More specifically if magic_quotes_gpc is turned on for the copy of PHP you are using all Get, Post & Cookie variables (gpc, get it?) in PHP will already have special characters like ", ' and \ escaped so it is safe to put them directly into an SQL query.
In effect, this is the same as running addslashes() on every variable passed from the browser automatically, before you even see them.
Finding out if you're using Magic Quotes
To find out if you have magic quotes enabled, you can check the php.ini file directly or run a simple test in PHP. If you don't have administrative access to the server that your site is hosted on, skip past the php.ini example and go straight to the PHP test below.
To check the php.ini, first you have to find it. Normally, the php.ini file will be located in /usr/local/lib/ if PHP was compiled from source, or it will be in /etc/ if PHP was installed from a binary package.
Failing either of these locations, you can always cheat and run a:
After you've located the php.ini file, go ahead and run a grep against it for the option in question, like this:
You should get back one line; I get this because I have shut off magic quotes:
If your line shows 'On', obviously magic quotes are enabled on your system.
If you don't have access to the php.ini file on your system, a simple test to run to find out if magic quotes is enabled or not is this simple PHP script:
Bring this script up in your browser and click the submit button. If the resulting page has one slash, magic quotes are off. If there are two, magic quotes is on. Simple.
Magic Quote Advantages
Having magic quotes turned on has some advantages. As I see them, here they are:
Magic Quote Disadvantages
Having magic quotes turned on has lots of disadvantages. As I see them, here they are:
Enabling / Disabling Magic Quotes
Magic quotes may be enabled or disabled in the php.ini file (see above) simply by changing the value of the magic_quotes_gpc from On to Off, or Off to On. If you do not have access to the php.ini file, inquire with the System administrator for your host and ask about having Magic quotes turned on or off. This may be done on a per-directory basis with the proper configuration.
Default Magic Quote Settings
By default magic_quotes_gpc was turned off in all 3.x.x versions of PHP. However, all PHP 4.x.x versions have this option turned on by default. To insert a little bit of personal opinion I think this was a horrible mistake because I feel that magic_quotes_gpc is problimatic in professional applications, and encourages sloppy programming behaviour. That is however just my opinion, and the FACT is that probably the version of PHP you are using has this option on by default.
feel my control being taken off without notice
Oh my fuckin magic quotes, GTFO! Leave me fuckin alone. I don't need your fuckin help!
However, it must be said this performance hit is unlikely to be important except on the most heavily viewed sites.
The main consequence of using it is that a) any data which is inserted into a database does not need further sanitizing with addslashes(), and b) any data which is not to be inserted into a database (eg if it is to be displayed on the page) must have the escaped characters restored to normal, using stripslashes().
IMO it is better to switch it off, you do have to be more careful when inserting user-submitted data into a database, but that is really a good thing anyway. Magic quotes encourages the sort of sloppy programming that tends to cause more problems than it avoids, in the long run.
It only works for POST variables but could be easily changed to work for the others as well (I'm guessing)
The $debug variable is just a standard debugging tool where I can turn on all debugging from within a section of code at a time. Just set it to 1 if you want verbose information of the tool.
Any comments very welcome.
The reason being that it guarantees that this is the version of php.ini being used by your server, as there often seems to be at least 3 php.ini files lying around on most systems ;-)
Yes, yet another comment that doesn't add anything useful to the conversation, but hey, I feel a lot better :)