Home/ Questions/Q 6111545
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-23T14:38:34+00:00

My server admin recently upgraded to PHP 5.3 and I’m getting a weird bug

  • 0

My server admin recently upgraded to PHP 5.3 and I’m getting a weird “bug” (or feature, as the PHP folks have it). I had mysql_real_escape_string around most of my string form data for obvious safety reasons, but now it seems this escaping is already done by PHP.

<?php

echo $_GET["escaped"];

?>

<form method="get">
    <input type="text" name="escaped" />
</form>

This outputs, if I enter for instance escape 'this test', escape \'this test\'. Same goes if I use POST instead of GET.

Is it directly tied to the 5.3 upgrade or could my admin have triggered some automatic switch in the php.ini file?

Also, should I just leave it as is (in the event that it is indeed a good fail proof mechanism that correctly catches all get and post variables), or should I disable it (if that’s even possible!) and go back to mysql_real_escape_string? My guts tell me approach 2 would be best, but approach 1 would be somewhat automagical. 🙂

EDIT: Actually, I need to disable it. Sometimes I gather the form data and resend it to the client form in case something was wrong (i.e. missing field), so I don’t want him/her to have slashes appearing out of nowhere.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    This “feature” is known as magic_quotes_gpc and does not protect you from all SQL injection attacks (addslashes is called on every element of the input superglobals such as $_POST and $_GET. This ignores the actual input/database encoding). It is therefore deprecated and should not be used.

    The official php manual includes a neat way to undo it in php code, but you should just turn it off.

    • 0