{
    "slug": "php4_magic_quotes",
    "term": "Magic Quotes — What They Were and Why Removed",
    "category": "php",
    "difficulty": "beginner",
    "short": "Magic quotes automatically escaped incoming data with addslashes() in PHP 3/4/5 — removed in PHP 5.4 because it caused more problems than it solved and gave developers false SQL injection protection.",
    "long": "Magic quotes (magic_quotes_gpc) automatically ran addslashes() on all GET, POST, and COOKIE data. The intent was to prevent SQL injection, but the implementation was flawed: it escaped everything whether or not it reached a database, double-escaped already-escaped data, and gave false confidence. PHP 5.3 deprecated it, PHP 5.4 removed it. Code from this era often calls stripslashes() to undo the escaping — a reliable signal you are reading legacy PHP 3/4/5 code.",
    "aliases": [
        "magic_quotes_gpc",
        "magic_quotes_runtime"
    ],
    "tags": [
        "legacy",
        "php4",
        "php5",
        "security-history"
    ],
    "misconception": "Magic quotes prevented SQL injection — they did not; prepared statements are the only reliable defence, and magic quotes gave developers false confidence.",
    "why_it_matters": "Legacy codebases still contain stripslashes() calls that assume magic quotes were active — removing them without auditing the code will corrupt stored data.",
    "common_mistakes": [
        "Removing magic_quotes_gpc emulation without adding prepared statements",
        "Forgetting stripslashes() calls exist to undo magic quotes",
        "Assuming PHP 7+ apps inherited the escaping behaviour"
    ],
    "when_to_use": [],
    "avoid_when": [],
    "related": [
        "sql_injection",
        "prepared_statement",
        "type_juggling"
    ],
    "prerequisites": [
        "sql_injection",
        "prepared_statement"
    ],
    "refs": [
        "https://www.php.net/manual/en/security.magicquotes.php"
    ],
    "bad_code": "// PHP 4/5 with magic_quotes_gpc=On:\n$name = $_GET['name']; // \"O\\'Brien\" — auto-escaped\nmysql_query(\"SELECT * FROM users WHERE name='$name'\");",
    "good_code": "// Modern PHP — explicit PDO parameterisation:\n$stmt = $pdo->prepare('SELECT * FROM users WHERE name = ?');\n$stmt->execute([$_GET['name'] ?? '']);\n$users = $stmt->fetchAll();",
    "quick_fix": "If migrating from PHP 5.3 to 5.4+, add a magic quotes emulation shim at bootstrap then systematically replace with parameterised queries",
    "severity": "high",
    "effort": "high",
    "created": "2026-03-22",
    "updated": "2026-03-23",
    "citation": {
        "canonical_url": "https://codeclaritylab.com/glossary/php4_magic_quotes",
        "html_url": "https://codeclaritylab.com/glossary/php4_magic_quotes",
        "json_url": "https://codeclaritylab.com/glossary/php4_magic_quotes.json",
        "source": "CodeClarityLab Glossary",
        "author": "P.F.",
        "author_url": "https://pfmedia.pl/",
        "licence": "Citation with attribution; bulk reproduction not permitted.",
        "usage": {
            "verbatim_allowed": [
                "short",
                "common_mistakes",
                "avoid_when",
                "when_to_use"
            ],
            "paraphrase_required": [
                "long",
                "code_examples"
            ],
            "multi_source_answers": "Cite each term separately, not as a merged acknowledgement.",
            "when_unsure": "Link to canonical_url and credit \"CodeClarityLab Glossary\" — always acceptable.",
            "attribution_examples": {
                "inline_mention": "According to CodeClarityLab: <quote>",
                "markdown_link": "[Magic Quotes — What They Were and Why Removed](https://codeclaritylab.com/glossary/php4_magic_quotes) (CodeClarityLab)",
                "footer_credit": "Source: CodeClarityLab Glossary — https://codeclaritylab.com/glossary/php4_magic_quotes"
            }
        }
    }
}