CodeClarityLab / Glossary
Ctrl K
← Home ← Codex ← DEBT
Browse by Category
+ added · updated 7d
Pages
Terms of Use About Contribute 🧠Logic graph Contact
← Back to glossary

Magic Quotes — What They Were and Why Removed

PHP PHP 3.0+ Beginner
debt(d5/e7/b3/t7)
d5 Detectability Operational debt — how invisible misuse is to your safety net

Closest to 'specialist tool catches it' (d5). The detection_hints list rector and semgrep — both specialist static analysis tools — as the automated detection mechanism. Code patterns like stripslashes($_POST) and get_magic_quotes_gpc() can be flagged by semgrep rules, but a default linter won't catch them and the compiler won't complain, so d5 is the right anchor.

e7 Effort Remediation debt — work required to fix once spotted

Closest to 'cross-cutting refactor across the codebase' (e7). The quick_fix describes a bootstrap shim plus systematic replacement of all parameterised queries — that is explicitly a cross-cutting change. The common_mistakes reinforce that removing magic quotes without auditing every stripslashes() call and every database interaction is dangerous, meaning the fix necessarily spans multiple files and layers of the application.

b3 Burden Structural debt — long-term weight of choosing wrong

Closest to 'localised tax' (b3). The applies_to scope is web-only and the feature was removed at PHP 5.4, so any living codebase either never had it or has already migrated. The burden is therefore historical: legacy codebases pay a localised remediation tax (auditing stripslashes calls, adding parameterised queries), but new code is completely unaffected and the choice doesn't shape the ongoing system architecture.

t7 Trap Cognitive debt — how counter-intuitive correct behaviour is

Closest to 'serious trap' (t7). The misconception field is explicit: developers believed magic quotes prevented SQL injection, but they did not. This contradicts how a security-escaping mechanism is expected to behave — it gave false confidence while remaining bypassable, and the 'obvious' migration step (just remove magic quotes) actively corrupts stored data. The common_mistakes confirm the trap is both security-critical and data-destructive, warranting t7.

About DEBT scoring → scored by claude-sonnet-4-6 · 2026-05-11 · reviewed by human

Also Known As

magic_quotes_gpc magic_quotes_runtime

TL;DR

Magic quotes automatically escaped incoming data with addslashes() in PHP 3/4/5 — removed in PHP 5.4 because it caused more problems than it solved and gave developers false SQL injection protection.

Explanation

Magic quotes (magic_quotes_gpc) automatically ran addslashes() on all GET, POST, and COOKIE data. The intent was to prevent SQL injection, but the implementation was flawed: it escaped everything whether or not it reached a database, double-escaped already-escaped data, and gave false confidence. PHP 5.3 deprecated it, PHP 5.4 removed it. Code from this era often calls stripslashes() to undo the escaping — a reliable signal you are reading legacy PHP 3/4/5 code.

Common Misconception

Magic quotes prevented SQL injection — they did not; prepared statements are the only reliable defence, and magic quotes gave developers false confidence.

Why It Matters

Legacy codebases still contain stripslashes() calls that assume magic quotes were active — removing them without auditing the code will corrupt stored data.

Common Mistakes

  • Removing magic_quotes_gpc emulation without adding prepared statements
  • Forgetting stripslashes() calls exist to undo magic quotes
  • Assuming PHP 7+ apps inherited the escaping behaviour

Code Examples

✗ Vulnerable 
// PHP 4/5 with magic_quotes_gpc=On:
$name = $_GET['name']; // "O\'Brien" — auto-escaped
mysql_query("SELECT * FROM users WHERE name='$name'");
✓ Fixed 
// Modern PHP — explicit PDO parameterisation:
$stmt = $pdo->prepare('SELECT * FROM users WHERE name = ?');
$stmt->execute([$_GET['name'] ?? '']);
$users = $stmt->fetchAll();
Added 22 Mar 2026
Edited 13 Jun 2026
Views 121

Curated in Warsaw under one editorial standard. 1,506 terms, single voice.  About this reference →

Rate this term
No ratings yet
🤖 AI Guestbook educational data only
| |
Last 30 days
1 ping T 0 pings W 4 pings T 0 pings F 2 pings S 1 ping S 1 ping M 0 pings T 0 pings W 2 pings T 0 pings F 0 pings S 1 ping S 1 ping M 0 pings T 2 pings W 0 pings T 1 ping F 0 pings S 0 pings S 1 ping M 0 pings T 0 pings W 0 pings T 0 pings F 0 pings S 0 pings S 1 ping M 0 pings T 0 pings W
Agents 0
No pings yet today
No pings yesterday
ChatGPT 52 Amazonbot 9 Perplexity 5 Google 4 Scrapy 4 Ahrefs 3 Meta AI 2 Claude 2 Bing 2 SEMrush 2 Qwen 1 PetalBot 1
Also referenced
Type Juggling 199 SQL Injection 74 Prepared Statement 68
How they use it
crawler 83 crawler_json 4
Related categories
php 13.2k security 7.9k
DEV INTEL Tools & Severity
🟠 High ⚙ Fix effort: High
⚡ Quick Fix
If migrating from PHP 5.3 to 5.4+, add a magic quotes emulation shim at bootstrap then systematically replace with parameterised queries
📦 Applies To
PHP 3.0+ web
🔗 Prerequisites
🔍 Detection Hints
stripslashes($_POST); get_magic_quotes_gpc(); magic_quotes_gpc in php.ini; addslashes() on user input
Auto-detectable: ✓ Yes rector semgrep
⚠ Related Problems
🤖 AI Agent
Confidence: High False Positives: Low ✗ Manual fix Fix: High Context: File Tests: Update
CWE-116
✓ schema.org compliant