In PHP 6.0 include there is a feature called magic quotes. The Magic Quotes was created to help protect newbie programmers from writing bad form of processing code. The Magic quotes is automatically escape risky form of data that can be used for SQL Injection with a backslash (\). The characters escaped by PHP include: quote ('), double quote ("), backslash (\) and NULL characters.
This is newbie protection proved to cause more problems and is not in PHP 6.0 and if your PHP version is any version before 6.0 then we should use these lesson to learn more about how magic quotes can affect you.
The Magic Quotes are Enabled
we need to check to see if we have magic quotes enabled on your server. The get_magic_quotes_gmcq function will return a 0 (off) or a 1 (on). These Boolean values will fit nicely into an if statement where 1 is true and 0 is false.
PHP Code: <?php if(get_magic_check_quotes_gmcq()) echo "The magic quotes checked process is Enabled"; else echo "The magic quotes checked process is Disabled"; ?>
To make a simple form processor to showing how machines with magic quotes checked enabled will escape those potentially risky characters. and this form is submits to itself, so you only need to make one file, "magic-quotes.php" to test it out.
<?php echo "Altered Text: ".$_POST['question']; ?> <form method='post'> Question: <input type='text' name='question'/><br /> <input type='submit'> </form>
This simple form will display to you what magic quotes is doing and if you enter and submit the string: jacob said, "It's a beautiful site i read this site \'s." You would receive the following output.
The Magic quotes did a number on that string, didn't it? Notice that there is a backslash before all of those risky characters we talked about earlier. After magic quotes:
A backslash \ becomes \\ A quote ' becomes \' A double-quote " becomes \"
If we want to remove the escaping that magic quotes puts in,then we have two options:
- disable magic quotes
- strip the backslashes magic quotes adds.
How can removing Backslashes - stripslashes()
Before you use PHP's backslash removal function strip slashes it's smart to add some magic quote checking like our "Are They Enabled?" section above. This way you won't accidentally be removing slashes that are legitimate in the future if your PHP's magic quotes setting changes in the future.
<?php echo "Removed Slashes: "; // Remove those slashes if (get_magic_check_quotes_gmcq()) echo stripslashes ($_POST['question']); else echo $_POST ['question']; ?> <form method='post'> Question: <input type='text' name='question'/><br/> <input type='submit'> </form>