Do you want to read a string from a form and save it into a database? "Easy" you might say ... and indeed it is ... but if you just take the exact characters that were entered into the form and embed them in your SQL, you're laying yourself open to an injection attack. That's where a user enters a string that includes quotes, which are used as delimiters by SQL commands.
Early / more advanced / sophisticated users of PHP know of this risk and use the addslashes function before they place user inputs into SQL strings. But with huge growing popularity and use by beginners and more casual programmers, there was too much risk of PHP getting itself a bad name for insecure systems. So "Magic Quotes" were introduced. With Magic Quotes, the input arrays $_GET, $_POST, $_COOKIE and $_REQUEST are all encoded with extra \ characters in front of any user entered quote character ...thus making the input directly and safely transferreable into an SQL table - but at the expense of it appearing on the screen if the programmer prints it back out. See the example picture provided ....
For the sake of compatibility with existing code (and to appease the people who were quite happy to carefully add slashes all around), Magic Quotes were added to the list of configurable options in PHP and to this day it's probably one of the first things that I look at when I'm using a new host. Personally, I don't care which way it is set but I regret the
incompatibility it can cause as an application is moved between servers.
Want to make your application portable? You can - since you can check the setting of the magic_quotes_gpc variable from your script, and if it is set, use stripslashes to regularise your input. We've a demo showing how you can do this on a single input field
** Link ** and there's a further discussion and more examples at the PHP manual site
** Link **
(written 2005-08-22, updated 2008-05-17)
Associated topics are indexed as below, or enter http://melksh.am/nnnn for individual articles
H107 - String Handling in PHP [31] Here documents - (2004-08-28)
[54] PHP and natural sorting - (2004-09-19)
[337] the array returned by preg_match_all - (2005-06-06)
[463] Splitting the difference - (2005-10-13)
[493] Running a Perl script within a PHP page - (2005-11-12)
[558] Converting between acres and hectares - (2006-01-08)
[560] The fencepost problem - (2006-01-10)
[574] PHP - dividing a string up into pieces - (2006-01-23)
[589] Robust PHP user inputs - (2006-02-03)
[608] Don't expose your regular expressions - (2006-02-15)
[642] How similar are two words - (2006-03-11)
[716] Evaluating arithmetic expressions in configuration files - (2006-05-10)
[728] Looking ahead and behind in a Regular Expression - (2006-05-22)
[1008] Date conversion - PHP - (2006-12-26)
[1058] PHP Regular expression to extrtact link and text - (2007-01-31)
[1195] Regular Express Primer - (2007-05-20)
[1336] Ignore case in Regular Expression - (2007-09-08)
[1372] A taster PHP expression ... - (2007-09-30)
[1533] Short and sweet and sticky - PHP form input - (2008-02-06)
[1603] Do not SHOUT and do not whisper - (2008-04-06)
[1613] Regular expression for 6 digits OR 25 digits - (2008-04-16)
[1799] Regular Expressions in PHP - (2008-09-16)
[2046] Finding variations on a surname - (2009-02-17)
[2165] Making Regular Expressions easy to read and maintain - (2009-05-10)
[2238] Handling nasty characters - Perl, PHP, Python, Tcl, Lua - (2009-06-14)
[2629] Curly braces within double quoted strings in PHP - (2010-02-09)
[3020] Handling (expanding) tabs in PHP - (2010-10-29)
[3424] Divide 10000 by 17. Do you get 588.235294117647, 588.24 or 588? - Ruby and PHP - (2011-09-08)
[3515] PHP - moving from ereg to preg for regular expressions - (2011-11-11)
[3516] Regular Expression modifiers in PHP - summary table - (2011-11-12)
[3534] Learning to program in PHP - Regular Expression and Associative Array examples - (2011-12-01)
[3788] Getting more than a yes / no answer from a regular expression pattern match - (2012-06-30)
[3789] More than just matching with a regular expression in PHP - (2012-06-30)
[3790] Solution looking for a problem? Lookahead and Lookbehind - (2012-06-30)
[4071] Setting up strings in PHP - (2013-04-27)
[4072] Splitting the difference with PHP - (2013-04-27)
Some other Articles
Robust checking of data entered by usersCaching an XML feedHow not to run a forumA Victorian LadyPHP Magic QuotesDon't repeat code - use loops or functionsTowards TebayMost popular coursesDifference between import and from in PythonTelephone Preference Service - we're registered