Skip to main content
Published: September 27 2007, 3:36:00 PMUpdated: November 28 2020, 3:59:23 PM

By default, PHP 4.x and 5.x will attempt to "sanitize" user input by escaping characters such as single quote, double quote, and backslash. This was done in an attempt to prevent SQL injection and similar attacks. However, this can cause unexpected results in many cases.

Detailed Description

The escaping of  characters is appropriate in certain contexts. Inserting into a database where a single quote is a string delimiter is a case where escaping single quotes is appropriate. However, in XML such escaping may not be appropriate. PHP initially gained popularity as an easy way to connect web servers to databases, and such automatic quoting may have been appropriate. However, as PHP is now used in more contexts, such escaping by default is not appropriate. Thus, PHP 6 will not do such escaping by default.

Here is an example of inappropriate escaping (inappropriate use of "magic_quotes").

Suppose you have an HTML form which provides data to the AddItem call. Your PHP code to pull in the item description for the listing may look like this :

$itemDescription = $_POST['itemDescription'];
In this case, by default, PHP 4.x and PHP 5.x will apply the "magic_quotes" escaping function to variables in the $_POST array. Thus, if the item description entered was :

     Don't do this!

Then your item description after the item is listed will look like this :

Don\'t do this!
There are a couple ways to turn off or remove the effects of this escaping. You can use the PHP function stripslashes, to attempt to undo what PHP had already done to the initial input. To simply turn off magic quotes you have two options. Disable them for the entire PHP installation via the php.ini file, or disable them on a per directory basis with a .htaccess file.

In the php.ini file, you'll see the following by default :

; Magic quotes for incoming GET/POST/Cookie data.
magic_quotes_gpc = On

; Magic quotes for runtime-generated data, e.g. data from SQL, from exec(), etc.
magic_quotes_runtime = Off

Set magic_quotes_gpc Off to prevent automatic escaping for your whole PHP installation. Note that turning off automatic escaping for your whole installation may lead to unexpected behavior and possibly open security holes, so this is not recommended.

You can also turn off magic quotes on a per-directory basis.  This may be the best compromise between convenience and moderation of impact. To do this, add the following to your .htaccess file :

php_flag magic_quotes_gpc off 
Note, however, that "inline or runtime" disabling of magic_quotes_gpc will not have the intended effect.  For example, the following code will still give you escaped characters :

ini_set('magic_quotes_gpc', false);
This is because by the time this code line is encountered the $_REQUEST array will have already been assembled and escaped, so your ini_set will have no effect.

Additional resources

Magic quotes discussion on tizag.com
PHP.net - stripslashes
PHP.net - ini_set

How well did this answer your question?
Answers others found helpful