Because the data that a user submits to a PHP script might contain
single or double quotes, you should also use escape sequences for any
user data your script receives, especially before you write it to a text
file, database, or other data source. Older versions of PHP include a
feature called magic quotes, which automatically adds a backslash (\)
to any single quote ('), double quote ("), or NULL character contained
In data that a user submits to a php script.
By default, the magic_quotes_gpc directive is the only magic quote
directive enabled in your php.ini configuration file when you install
PHP. Magic quotes are unpopular with programmers because it’s easy
to forget that they are enabled. A better approach is to disable magic
quotes in your php.ini configuration file and instead manually escape
text strings with the addslashes() function. This function accepts a
single argument representing the text string you want to escape and
returns a string containing the escaped string. If you want to display
an escaped text string that contains escape characters, you can use
the stripslashes() function to remove the slashes that were added
with the addslashes() function.
Magic quotes
and their
associated
functions and
directives are
deprecated as of PHP
5.3.0 and are removed
as of PHP 6.
APPENDIX
D
If
a script you are writing might be run on multiple Web servers and
you
cannot
be sure whether magic quotes will be enabled, you can use the
get_magic_quotes_gpc()
function to determine whether magic
quotes
have been applied to data from the Web form already. The following
example
from the php.net Web site shows how to use the
get_magic_quotes_gpc()
function:
654
if
(!get_magic_quotes_gpc()) {
$lastname
= addslashes($_POST['lastname']);
}
else {
$lastname = $_POST['lastname'];
}
Disabling the register_globals Directive
Before PHP version 4.2.0, client, server, and environment infor-
mation was automatically available as global variables that you
could access directly in your scripts. For example, instead of using
$_SERVER["SERVER_SOFTWARE"] to obtain information about your
server software, you could simply use $SERVER_SOFTWARE. Similarly,
a field named “email” in a submitted form could be accessed with
$email instead of $_GET["email"]. However, making such informa-
tion automatically available exposes security issues that an unscru-
pulous hacker can exploit. You can still use the old global variables
by finding the register_globals directive in your php.ini configu-
ration file and changing its value to “on.” However, for your code to
be secure, the PHP Group strongly recommends that you leave the
register_globals directive turned off and instead use autoglobal
arrays, such as $_GET and $_POST, to access client, server, and envi-
ronment information in your scripts.
Reporting Errors