The preferred one is to really inform the person using the script that there is a configuration problem, the reason is performance.
Imagine that the script is receiving a lot of data via $_POST
(and even multidimensional), if you use stripslashes
for each level of the vector in $_POST
and you have too much data this can cause the script to take a long time to process and in some cases greatly increase memory consumption.
The Exception
of the example can be an output, or even a custom message, however the important thing is always to turn off magic_quotes_gpc
and if possible to upgrade PHP.
What is magic_quotes_gpc
Warning
This functionality has become OBSOLETE since PHP 5.3.0 and has been REMOVED from PHP 5.4.0.
When bound, any '
(single quotation mark), "
(double quotation mark), \
(backslash), and NULL
will be backslashed before ( '
turns \'
) automatically. This is identical to what the addslashes()
function does.
Because we used magic_quotes_gpc
The function helped some beginners build better code in an attempt to be more secure. But when dealing with code that uses this feature it is better to update the code than to activate magic quotes. So, why does this exist? It was to help prevent SQL injection. Today's developers are more aware of security and end up using specific database mechanisms to escape and / or prepared commands rather than relying on things like magical quotes, for example:
Here are some tips on working with mySQL:
Why should not we use magic_quotes_gpc
-
Portability, because if magic_quotes_gpc
is turned on or off this can affect the portability of the code, for example, new versions of PHP, starting at 5.4 even when calling php.ini magic_quotes_gpc
you will not be able to use it since it has been removed.
-
Performance, when turned on it will escape all data from GET
, POST
, COOKIE
and REQUEST
and this can be a little costly to the server depending on the amount given, POST
transports and also in case of multidimensional arrays (which is supported by GET
and POST
).
-
It is inconvenient because not all places where we use the data need to be escaped and this may cause some problems, this will force you to make excessive use of stripslashes
.
Disabling
If you are using PHP5.4 + you do not have to worry about disabling it since it has already been removed, however if you do not have the possibility to upgrade your server then you will have to edit the php.ini by editing the following flags
like this:
; Magic quotes for incoming GET/POST/Cookie data.
magic_quotes_gpc=Off
; Magic quotes for runtime-generated data, e.g. data from SQL, from exec(), etc.
magic_quotes_runtime=Off
; Use Sybase-style magic quotes (escape ' with '' instead of \').
magic_quotes_sybase=Off
Documentation