jump to navigation

PHP – Magic Quotes just a basic explanation October 12, 2010

Posted by Tournas Dimitrios in PHP.

Prior to PHP 6 there was a feature called magic quotes that was created to help protect newbie programmers from writing bad form processing code. Magic quotes would automatically escape risky form data that might be used for SQL Injection ( go to my post for SQL Injection ) with a backslash \. The characters escaped by PHP include: quote ‘, double quote “, backslash \ and NULL characters.

However, this newbie protection proved to cause more problems than it solved and is not in PHP 6. If your PHP version is any version before 6 then you should use this lesson to learn more about how magic quotes can affect you.

There are three magic quote directives:

  • magic_quotes_gpc Affects HTTP Request data (GET, POST, and COOKIE). Cannot be set at runtime, and defaults to on in PHP. See also get_magic_quotes_gpc().
  • magic_quotes_runtime If enabled, most functions that return data from an external source, including databases and text files, will have quotes escaped with a backslash. Can be set at runtime, and defaults to off in PHP. See also set_magic_quotes_runtime() and get_magic_quotes_runtime().
  • magic_quotes_sybase If enabled, a single-quote is escaped with a single-quote instead of a backslash. If on, it completely overrides magic_quotes_gpc. Having both directives enabled means only single quotes are escaped as . Double quotes, backslashes and NULL’s will remain untouched and unescaped. See alsoini_get() for retrieving its value.

Magic Quotes – Are They Enabled?

First things first, you need to check to see if you have magic quotes enabled on you server. The get_magic_quotes_gpc function will return a 0 (off) or a 1 (on). These boolean values will fit nicely into an if statement where 1 is true and 0 is false.

  echo "Magic quotes are enabled";
  echo "Magic quotes are disabled";


If you received the message “Magic quotes are enabled” then you should definitely continue reading this lesson, if not feel free to learn about it in case you are developing for servers that might have quotes on or off.

Magic Quotes in Action

Now lets make a simple form processor to show how machines with magic quotes enabled will escape those potentially risky characters. This form submits to itself, so you only need to make one file, “magic-quotes.php” to test it out.


< ? p h p
if (!$_POST){
	echo "hello please fill in some text ";
echo "Altered Text: ".$_POST['question'];

<form method='post'>
Question: <input type='text' name='question'/>

<input type='submit'>


This simple form will display to you what magic quotes is doing. If you were to enter and submit the string: Hello visitor , “It’s a beautiful day outside and I like to use \’s.” You would receive the following output.

Altered Text: Hello visitor , \”It\’s a beautiful day outside and I like to use \\\’s.\”

Magic quotes did a number on that string, didn’t it? Notice that there is a backslash before all of those risky characters we talked about earlier. After magic quotes:

  • A backslash \ becomes \\
  • A quote ‘ becomes \’
  • A double-quote ” becomes \”

Now say that you wanted to remove the escaping that magic quotes puts in, you have two options: disable magic quotes or strip the backslashes magic quotes adds.

removing Backslashes – stripslashes()

Before you use PHP’s backslash removal function stripslashes it’s smart to add some magic quote checking like our “Are They Enabled?” section above. This way you won’t accidentally be removing slashes that are legitimate in the future if your PHP’s magic quotes setting changes in the future.

< ? p h p
if(!$_POST) {
	echo "Please fill in some text";
echo "Removed Slashes: ";
// Remove those slashes
  echo stripslashes($_POST['question']);
    echo $_POST['question'];


<form method='post'>
Question: <input type='text' name='question'/>

<input type='submit'>


Our new output for our string  would contain risky characters …

Read more on PHP.net
Read also : How to enable/disable magic_quotes in PHP



1. Mysql injecton by example « Tournas Dimitrios - October 13, 2010

[…] . Please do not use this knowledge to harm other people !!! . Also read the article “Magic quotes” . At first lets recap the basics […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s