Is Magic_Quotes_Gpc Useful or Not?


Very often I come across COOKIE. This function provides one of many protective functions for the site. In developing the new site, it is very important to follow the safety of scripts, especially when performing various operations with the database. For example, when you insert or update data in the database, the data needd to be escaped so that it is impossible to attack the SQL code.

For example, we have the following SQL code:

$data = mysql_query(“SELECT * FROM friends WHERE name='” .
 $_GET['name'] . “'”);

For example, $_GET['name'] is equal to the value S’smile, then the database query would look like this:

$data = mysql_query(“SELECT * FROM friends WHERE 

This will show an error while performing!
And if a hacker will enter the following in the GET request:


And then ?name=S'; DROP DATABASE db_name; …

I think, these sections of the code can be useful to obtain any information from the database or destroy everything, and this can be a real disaster for a website owner.

For that, there is a function, that escapes all data from GET, POST and COOKIE by default. But what should you do when the screening fulfills a negative function, for example when executing the query:


In this case, it will display the following code:

<a href=”#”><?= $_GET['name']?></a>

and in browser it will be displayed as: S\’smile
And if you are also using a function of manual screening addslashes, the code:

<script type="text/javascript">
    common.OtherFunction('<?= addslashes($_GET['name'])?>');        

will display the following:

<script type="text/javascript">

which is wrong in this case, because there should be only one slash. So at the beginning of development of the site you should disable this feature. And escape the text only if required or disable it when there is a need for manual processing.

There are several ways to disable this feature:

1. Through php.ini. To do this, look for line magic_quotes_gpc = on in it and change its value to Off. As a result, we should get the following - magic_quotes_gpc = Off. This method can be used only when you have the access to php.ini server file.

2. Through php.ini in the root of the site. Create a php.ini file in the root of the site and add the line magic_quotes_gpc = Off.

3. Through .htaccess. To do this you should create a file named .htaccess in the site's root directory and add to it the following line php_value magic_quotes_gpc off. Thus magic_quotes_gpc will be disabled for this site.

4. In PHP code. This will disable this function when there is a need for manual data processing. For this add to your code ini_set ('magic_quotes_gpc', 'off'). This will allow to work in automatic or manual mode of data processing, which can be realy comfortable.

I must note that to make option 1 and 2 work you should restart php service. If your site is located on hosting, you can do it through the control panel. 

Also note that 1 option will be executed for all sites running on this server, so in this case you should be careful!

Option 2 and 3 are executed only for this site. They are the most commonly used.

Option 4 is only good for specific purposes that php code should execute.

If for some reason you can't disable this feature, you can verify in the script:

  $name = $_GET['name']; 
  $name = (get_magic_quotes_gpc()) ? $var : addslashes($name);  
   # look like: S\'smile 
  echo $name;

In this script, you should check if magic_quotes_gpc is enabled, if not, you should use function - addslashes for our variable. Php 6 doesn't have this function. But there are many scripts that are written for an older version of php, so this issue will still be relevant for many. So, is this function useful or not ,depends on site functionality and its needs. But the choice is yours to make! ;)

See also: Git essential tips