3.3.3 Setting up Magic Quotes


Magic Quotes is a functionality that was first introduced in PHP to automatically escape quotes and backslashes (\) in data submitted through HTTP requests. It was developed to protect against SQL injections and other security attacks. The feature automatically adds a backslash before each quote and backslash in variables coming through HTTP requests ($_GET, $_POST, and $_COOKIE) to PHP scripts.

Magic Quotes were designed to simplify the processing of data coming through HTTP requests and reduce the risk of SQL injections. However, their automatic use can lead to unpredictable behavior, so use of this mechanism is considered obsolete and is not recommended. The Magic Quotes extension was deprecated in PHP 7.4 and was officially removed in PHP 8.0. Turning off Magic Quotes allows for greater flexibility and security in PHP programs by allowing you to manually control data processing and escaping.

Setting up Magic Quotes

Depending on the PHP operation mode of your website (PHP as CGI or PHP as Apache), you can manage the extension using php.ini or .htaccess files. More about the configuration file php.ini.

Magic Quotes is enabled by default only on PHP 5.2 and 5.3, to disable it follow these steps:

1. If PHP for the WWW domain is set to CGI mode:

  • Log in as a user to the file manager in the php-bin folder.
  • Set permissions 600 for the php.ini file.
  • In the php.ini file, specify the following lines:
magic_quotes_gpc = Off
magic_quotes_runtime = Off
magic_quotes_sybase = Off

2. If PHP for the WWW domain is enabled in Apache module mode, specify the following lines in the www/domain_name/.htaccess file:

php_flag magic_quotes_gpc Off
php_flag magic_quotes_runtime Off
php_flag magic_quotes_sybase Off

Important: The extension is enabled by default only for versions PHP 5.2 and 5.3. However, as of PHP 7.4 this extension is deprecated and was removed in PHP 8.0. Official documentation.