magic quotes in php

In PHP, “magic quotes” is a feature that automatically escapes certain characters in user-submitted data with backslashes. It was introduced in PHP 3 as a way to help prevent cross-site scripting (XSS) attacks and SQL injection attacks by automatically escaping special characters that are often used in such attacks.

Here is an example of how magic quotes works:

$name = 'John';

// Without magic quotes
echo 'Hello, $name'; // Outputs: Hello, $name

// With magic quotes
echo 'Hello, $name'; // Outputs: Hello, John

As you can see, with magic quotes enabled, the single quotes around the variable are treated as literal single quotes, and the variable is correctly interpolated. Without magic quotes, the variable is treated as a string and is not interpolated.

Magic quotes was deprecated in PHP 5.3 and removed in PHP 5.4. It is no longer recommended to use magic quotes, as it is considered to be a poor solution to the problem of input validation and sanitization. Instead, it is recommended to use more modern and effective methods such as prepared statements and input sanitization functions.

Leave a Comment