magic_quotes, addslashes(), and stripslashes() and PHP 6

magic_quotes_gpc, when on, automatically adds slashes to all GET/POST/COOKIE data so that you don’t need to use addslashes() before using GET/POST/COOKIE data in MySQL queries, etc. (e.g. with magic_quotes_gpc OR addslashes(), I’m becomes I\\’m). Well, magic_quotes_gpc is no convenience and just complicates things!

Since magic_quotes_gpc can be on or off, you don’t know whether to use addslashes() or not. You don’t want to use addslashes() when magic_quotes_gpc is on because you’ll add too many slashes (e.g. I’m becomes I\\\\’m), which is bad. Use addslashes() if magic_quotes_gpc is off, and don’t if it’s on (you can find out its setting with get_magic_quotes_gpc()). But you can’t use the same code all the time. One workaround is something such as:

if (!get_magic_quotes_gpc()) { $txt = addslashes($txt);

Using magic quotes has always been confusing and in PHP 6 they are apparantly going to remove it.  So it is better to program your scripts without using get_magic_quotes_gpc at all.

Leave a Reply