CodeClarityLab / Glossary
Ctrl K
← CodeClarityLab Home
Browse by Category
+ added · updated 7d
⚖ Terms of Use
← Back to glossary

Magic Quotes — What They Were and Why Removed

php PHP 3.0+ Beginner

Also Known As

magic_quotes_gpc magic_quotes_runtime

TL;DR

Magic quotes automatically escaped incoming data with addslashes() in PHP 3/4/5 — removed in PHP 5.4 because it caused more problems than it solved and gave developers false SQL injection protection.

Explanation

Magic quotes (magic_quotes_gpc) automatically ran addslashes() on all GET, POST, and COOKIE data. The intent was to prevent SQL injection, but the implementation was flawed: it escaped everything whether or not it reached a database, double-escaped already-escaped data, and gave false confidence. PHP 5.3 deprecated it, PHP 5.4 removed it. Code from this era often calls stripslashes() to undo the escaping — a reliable signal you are reading legacy PHP 3/4/5 code.

Common Misconception

Magic quotes prevented SQL injection — they did not; prepared statements are the only reliable defence, and magic quotes gave developers false confidence.

Why It Matters

Legacy codebases still contain stripslashes() calls that assume magic quotes were active — removing them without auditing the code will corrupt stored data.

Common Mistakes

  • Removing magic_quotes_gpc emulation without adding prepared statements
  • Forgetting stripslashes() calls exist to undo magic quotes
  • Assuming PHP 7+ apps inherited the escaping behaviour

Code Examples

✗ Vulnerable 
// PHP 4/5 with magic_quotes_gpc=On:
$name = $_GET['name']; // "O\'Brien" — auto-escaped
mysql_query("SELECT * FROM users WHERE name='$name'");
✓ Fixed 
// Modern PHP — explicit PDO parameterisation:
$stmt = $pdo->prepare('SELECT * FROM users WHERE name = ?');
$stmt->execute([$_GET['name'] ?? '']);
$users = $stmt->fetchAll();
Added 22 Mar 2026
Edited 23 Mar 2026
Views 25

Curated in Warsaw under one editorial standard. 1,445 terms, single voice.  About this reference →

Rate this term
No ratings yet
🤖 AI Guestbook educational data only
| |
Last 30 days
0 pings F 0 pings S 0 pings S 0 pings M 0 pings T 1 ping W 0 pings T 1 ping F 0 pings S 0 pings S 0 pings M 0 pings T 0 pings W 0 pings T 2 pings F 0 pings S 0 pings S 0 pings M 0 pings T 0 pings W 1 ping T 1 ping F 0 pings S 0 pings S 0 pings M 2 pings T 1 ping W 0 pings T 3 pings F 0 pings S
Agents 0
No pings yet today
Amazonbot 1 Google 1
Amazonbot 9 Google 4 Perplexity 3 ChatGPT 2 Meta AI 1 Ahrefs 1
Also referenced
Type Juggling 154 Prepared Statement 30 SQL Injection 29
How they use it
crawler 20
Related categories
php 6.7k security 4.2k
DEV INTEL Tools & Severity
🟠 High ⚙ Fix effort: High
⚡ Quick Fix
If migrating from PHP 5.3 to 5.4+, add a magic quotes emulation shim at bootstrap then systematically replace with parameterised queries
📦 Applies To
PHP 3.0+ web
🔗 Prerequisites
🔍 Detection Hints
stripslashes($_POST); get_magic_quotes_gpc(); magic_quotes_gpc in php.ini; addslashes() on user input
Auto-detectable: ✓ Yes rector semgrep
⚠ Related Problems
🤖 AI Agent
Confidence: High False Positives: Low ✗ Manual fix Fix: High Context: File Tests: Update
CWE-116
✓ schema.org compliant