Magic Quotes In PHP

The Symptoms
Recently I was trying to debug a piece of code it worked fine in the development and staging environments. But when the code was uploaded to the production server it would break! Looking at the JSON data it appeared the production web server was adding back slashes to the data in the JSON string, breaking the string.

The Cause
When PHP magic quotes are in use on a server,  quotes, backslashes and NULL characters are escaped automatically. The feature was originally added to PHP in an attempt to minimise the the threat from bad form input by automatically escaping form data that could be used for possible SQL injection.

Over time this feature started to cause issues in scenarios like the one above and it was decided it should be scrapped. As of PHP 5.3.0 is deprecated and the feature removed all together with the release of PHP 5.4.0.

The Solution
Find the magic_quotes_gpc in the server’s php.ini file and set this to off and update any code that needs this feature enabled to function. The production server this problem arose on, originally had an install of OS Commerce installed which I believe is how the setting got enabled in the first place in the case mentioned earlier.

More Reading:
Magic Quotes on PHP.net

Leave a Reply

Your email address will not be published. Required fields are marked *