#15: Enabling Magic Quotes

Magic Quotes is a handy utility used by server hosts to protect against SQL Injection Attacks (as shown in "#19: SQL Injection Attacks " on Recommended Security Configuration Options). The idea is that whenever a form passes a variable to a PHP script, Magic Quotes automatically escapes all single quotes, double quotes, and backslashes with a backslash, turning "Ferrett's Book" into \"Ferrett\'s Book\".

If you're using MySQL, this isn't an ideal solutionâyou should use the MySQL-tailored mysql_real_escape_string() function insteadâbut in a pinch, Magic Quotes will do. Here's how to enable it in your php.ini file:

magic_quotes_gpc = 1

What Can Go Wrong?

If you don't have Magic Quotes turned on, you'll have to use the ...

Get Wicked Cool PHP now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Wicked Cool PHP by William Steinmetz, Brian Ward

#15: Enabling Magic Quotes

What Can Go Wrong?

Don’t leave empty-handed

It’s yours, free.

Check it out now on O’Reilly