Web студия "GrandView"

Portability

Assuming it to be on, or off, affects portability. Use get_magic_quotes_gpc() to check for this, and code accordingly.

Performance

Because not every piece of escaped data is inserted into a database, there is a performance loss for escaping all this data. Simply calling on the escaping functions (like addslashes()) at runtime is more efficient.

Although php.ini-dist enables these directives by default, php.ini-recommended disables it. This recommendation is mainly due to performance reasons.

Inconvenience

Because not all data needs escaping, it's often annoying to see escaped data where it shouldn't be. For example, emailing from a form, and seeing a bunch of \' within the email. To fix, this may require excessive use of stripslashes().

add a note User Contributed Notes
Why not to use Magic Quotes

Roland Illig
12-Oct-2007 12:35


The best way to use magic_quotes in PHP is this:



<?php



if (get_magic_quotes_gpc()) {

    die("magic_quotes must be turned off.");

}

?>

rjh at netcraft dot com
13-Jun-2007 02:50


Additionally, addslashes() is not a cure-all against SQL injection attacks. You should use your database's dedicated escape function (such as mysql_escape_string) or better yet, use parameterised queries through mysqli->prepare().

gerard at modusoperandi dot com dot au
13-May-2007 09:53


Apparently it will be removed in PHP 6:



http://www.php.net/~derick/meeting-notes.html#magic-quotes

11-Feb-2006 01:47


It is also important to disable Magic Quotes while in development enivronment. For the reasons mentioned above, not everybody is using Magic Quotes.



An application that works fine with Magic Quotes enabled may have security problems (ie can be subject to SQL attacks) when distributed.

add a note

This mirror generously provided by: Yahoo! Inc.
Last updated: Sun Nov 4 14:16:40 2007 PST