Magic quotes and MySQL real escape string

I’ve used PHP for years but have only recently become aware of what magic quotes is and does and also that once PHP 6 arrives to our hosters we will no longer be able to use it. Can I please check that I understand it correctly?

  1. With magic quotes on you don’t need to escape anything as it’s done automatically on all GET, POST and COOKIE data.

  2. With magic quotes off you should escape everything before performing a database query. You should use a database-specific function if possible (mysql_real_escape_string) but if not addslashes will do.

So I have a question (a few actually):

  1. With no magic quotes, how to we handle the reading and writing of text files?

  2. When do you think most hosters will install PHP 6?

  3. Are you going to charge your clients to make all your sites PHP 6-friendly?

Thanks in advance.

Magic quotes was a mistake, much like register globals. You can read about what, why, how etc here

1, No, different data needs to be escaped differently, one of the main reasons to remove it.

2, Yes. Rather than real_escape I’d recommend you look at prepared statements - if you need to refactor.

PHP5 won’t go away any time soon, and you can always host your own PHP5 server if needed.


Just to clarify though if magic quotes is on and your using a GET or POST variable in a MySQL query you don’t need addslashes or mysql_real_escape_string?

If magic quotes is on, then you should disable it, as per this example. Then you can addslashes (bad idea), or real_escape_string (better) as you need.

The “real” on mysql_real_escape_string is there for a reason.

Edit, to actually answer your qn, you can’t use those functions if magic_quotes is on, they will escape the escaped data and you will end up with strings like 'can\\\‘t’ instead of 'can\‘t’. Essentially magic quotes just runs everything through addslashes, which is too basic a function to use generically.

Well, I’m the wiser now, thank you very much. I’m just making a list of all the sites I’ll need to change.

Thanks again.

or use PREPARE statements (best).

mysql_real_escape_string() is completely unnecessary once you start using the more modern ways of coding the SQL that keeps the SQL and the data completely separate.

see post #2 :slight_smile: