Search code examples
phpmagic-quotes-gpc

Work around magic quotes, or just make sure they're off?


Is it worth changing my code to be "more portable" and able to deal with the horror of magic quotes, or should I just make sure that it's always off via a .htaccess file?

if (get_magic_quotes_gpc()) {
    $var = stripslashes($_POST['var']);
} else {
    $var = $_POST['var'];
}

Versus

php_flag magic_quotes_gpc off

Solution

  • Don't accommodate both situations. Two code paths = twice the headaches, plus there's a good chance you'll slip up and forget to handle both situations somewhere.

    I used to check if magic quotes were on or off, and if they were on, undo their magic (as others in the thread have suggested). The problem with this is, you're changing the configured environment (no matter how stupid) that another programmer may expect.

    These days I write code as though magic quotes are off, and in my main include/bootstrap/always-runs file I check if magic quotes are on or off. If they're on I throw an Exception that explains why this is a bad thing, and provide instructions on how they can be turned off.

    This approach allows you to code to a single behavior, encourages other folks using your code to configure their servers correctly (magic quotes is going away in PHP 6), and if someone really needs magic quotes on they can handle your exception and take their lives into their own hands.