PHP Magic Quotes

As far as building projects on or for WordPress is concerned, one of the things that we have to keep in mind is the minimum version of PHP required to run WordPress itself. And at the time of this writing, the minimum required version of 5.2.4.

Of course, if you know your project is going to run on a newer version of PHP, and you have control over that environment, then obviously you have the freedom to write code against that version; however, if you’re building something that’s going to be used across the board for any of the many hosting environments, then you’ve got to take that into consideration.

I mention this, because there have been a number of times when I’ve been working on a particular feature of a project, and I’ve had to reference the PHP manual to see if the given feature of the language is supported by the minimum current version.

Magic Quotes and Escaped Data

Case in point: Yesterday, I was having a discussion with a fellow developer about how to reading a value stored in the $_GET collection – more on that in a minute – and it had one of the nuances that was causing issue was that of magic quotes.

In PHP, magic quotes are:

Magic Quotes is a process that automagically escapes incoming data to the PHP script. It’s preferred to code with magic quotes off and to instead escape the data at runtime, as needed.

And you can control whether or not they are enabled via php.ini. For those who are curious, the values for which you’re looking are:

  • magic_quotes_gpc
  • magic_quotes_runtime
  • magic_quotes_sybase

But here’s the thing: As of PHP 5.4, magic quotes are no longer used. That is to say that they are removed. Personally, I think this is a good thing, but I digress on that for now.

What was the Problem?

So the problem that we were discussing had to do with how information in a search query was being stored in the $_GET collection. Specifically, the quotes were being escaped.

This means that if a person was to search for “foo bar” (that is, with the quotes included), then PHP would return \”foo bar\”.

Now, this is exactly what magic quotes do – they automatically escape incoming data.

Dirty Harry Potter

Although this may not always affect you, in can result in unintended consequences especially if you’re used to sanitizing and validating your own data.

Now, given the value that is sent via the search field and then automagically escaped, this presents a problem if you want to do anything with the information after the request has completed. In this case, the solution is relatively simple: stripslashes works just fine.

But in other cases, you may have to use other functions or even regular expressions to parse the data properly.

Should Magic Quotes Be Disabled?

Personally, I dig that they are disabled in PHP 5.4 primarily because I think that automatically trying to handle data on behalf of the developer can be dangerous.

I understand and even appreciate the intent behind what the feature is trying to do; however, I think the unintended and unexpected results of doing so can yield odd problems that may end up making it more difficult for work to be done (or for work to be undone, depending on how you look at it).

Obviously, this is just my opinion, but magic quotes – especially as it relates to automatically escaping input – has been more of a negative than a positive, in my experience.

At any rate, if you end up seeing data that’s escaped coming from your $_GET or $_POST collections after a request, now you know – and you know how to handle it.


Join the conversation! 2 Comments

  1. Just to clarify (because this confused me). Magic quotes were removed in php 5.4 (by disabled I thought you meant, ‘disabled by default’).

    …because I think that automatically trying to handle data on behalf of the developer can be dangerous

    Could not agree more!

  2. Thanks for clarifying the point, Stephen – I’ll actually refine the sentence to be clearer :).

Leave a Reply