Consortium News
Promotional Links
Please support us by providing a link to the PHP Security Consortium on your web site. You can also use our promotional image:

PhpSecInfo Test Information

magic_quotes_gpc

Test Description

Determines if magic_quotes_gpc is enabled.

Security Implications

The magic quotes option was introduced to help protect developers from SQL injection attacks. It effectively executes addslashes() on all information received over GET, POST or COOKIE. Unfortunately this protection isn't perfect: there are a series of other characters that databases interpret as special not covered by this function. In addition, data not sent direct to databases must un-escaped before it can be used.

Recommendations

Because it's inconsistent and ineffective, it's not recommended that magic_quotes_gpc be enabled. Rely on input filtering done by your scripts.

You can disable magic_quotes_gpc in the php.ini file:

; Disable magic_quotes_gpc
magic_quotes_gpc = 'off'

The setting can also be disabled in apache's httpd.conf file, or an .htaccess file:

# Disable magic_quotes_gpc
php_flag  magic_quotes_gpc  off

More Information

« Test information index

Get PhpSecInfo