Page 1 of 1

Magic_Quotes - what's the downside of having them on?

Posted: Fri Apr 04, 2003 11:19 am
by Swede78
I'm just beginning to learn PHP and MySQL web development. According to the book I'm reading, I can turn on magic_quotes_gpc and magic_quotes_runtime so that I don't have to use the addslashes() and stripslashes() functions when dealing with user-inputted data.

Now, when I look at my php.ini file, they are set to "off" by default. I assume that they're off for a reason. But, this book (PHP and MySQL Web Development by Luke Welling and Laura Thomson - very good book by the way) does not give any reasons why you shouldn't turn them on.

The only reason I can see for having them off, is so that you get used to writing code with the before-mentioned functions, just incase your script is run from a server that you can't control the settings in php.ini.

Does anybody no any reason, that I shouldn't set either magic_quotes_gpc or magic_quotes_runtime to "on"? It seems like such a nice convenience.

Thank you,
Swede

Posted: Fri Apr 04, 2003 12:14 pm
by twigletmac
Whether or not you have magic_quotes on you will still have to use the stripslashes() function it only automatically adds escape characters it does not automatically remove them so it's not as convenient as you think.

The main reason for not having magic_quotes on is that you will not always want escape characters added and will end up having to use stripslashes() to remove them whenever you retrieve GET, POST and COOKIE information that you aren't about to put into a database.

Leave it off and use addslashes() when you need it, it'll be less hassle.

Mac