PHP Magic Quotes

What are Magic quotes? Magic Quotes is a function that is designed to help escape potentially Malformed data inputs in PHP forms. The problem with Magic Quotes is that the function escapes not only suspicious characters but inverted commas and speech marks as well.

This could wreak havoc on any sentences that contained apostrophes and words surrounded by quotation marks.

So how should we work with Magic Quotes?

You are far better off just turning them off in the PHP.ini file – open your PHP.ini file and normally you will find them around line 124 and just comment them out. If you are on a shared hosting environment and not able to gain access to your .ini file you can create your own .ini file with the MagicQuotes commented out – upload to the root of your server. But first it would be worth testing whether you have them set in the first place and you can do this like so:

if(get_magic_quotes_gpc())
	echo "Magic quotes are enabled";
else
	echo "Magic quotes are disabled";

What happens if you are stuck Magic Quotes?

PHP has a function that will address this and it’s called stripslashes and works thus:

<?php
echo "Removed Slashes: ";
// Remove those slashes
if(get_magic_quotes_gpc())
	echo stripslashes($_POST['question']);
else
	echo $_POST['question'];
	
?>

<form method='post'>
Question: <input type='text' name='question'/> <br/>
<input type='submit'>
</form/>

It removes the slashes from the quotes but also has the sense to keep legitimate slashes in.