Is using get_magic_quotes_gpc with stripslashes a bad practice for compatibility?

The preferable is to actually somehow inform the person who is using the script that there is some configuration problem, the reason is the performance.

Imagine that the script is receiving a lot of data via $_POST (and even multidimensional), if using stripslashes for each vector level in $_POST and you have a lot of data this may make the script take time to process in addition to in some cases considerably increase memory consumption.

The Exception example can be an output, or even a custom message, however the important thing is to always turn off the magic_quotes_gpc and if possible upgrade PHP.

What is the magic_quotes_gpc

Warning This feature has become OBSOLETE since PHP 5.3.0 and has been REMOVED since PHP 5.4.0.

When connected, any ' (single quotes), " (double quotes), \ (backslash) and NULL a backslash will be placed before (' flipped \') automatically. This is identical to what the function addslashes() ago.

Because we used magic_quotes_gpc

The function helped some beginners build better code in an attempt to be safer. But when dealing with code that uses this feature it is better to update the code than to activate Magic Quotes. So why does this exist? It was to help prevent SQL injection. Today’s developers are more aware of security and end up using database-specific mechanisms to escape and/or prepared commands rather than depending on things like Magical Quotes, for example:

• http://php.net/manual/en/mysqli.quickstart.prepared-statements.php
• http://php.net/manual/en/pdo.prepared-statements.php

Here are some tips on how to work with mysql:

• How to prevent SQL code injection into my PHP code
• Why should we not use mysql type functions_*?
• Mysqli vs PDO - which is the most recommended to use?
• Using PDO is the safest way to connect to a PHP BD?
• What is the question mark in a query?
• Using addslashes against SQL injection is safe?

Because we should not use magic_quotes_gpc

• Portability, as if the magic_quotes_gpc is on or off this may affect the portability of the code, for example, new versions of PHP, from 5.4 even calling on php.ini the magic_quotes_gpc you won’t be able to use it because it has been removed.

• Performance, when connected it will escape all data from GET, POST, COOKIE and REQUEST and this can be a little costly to the server depending on the amount of data that for example the POST transports and also in case of multidimensional arrays (which is supported by GET and by POST).

• It is inconvenient, because not all places where we use the data need to be escaped and this can cause some problems, this will force you to make excessive use of the stripslashes.

Disabling

If you are using PHP5.4+ you do not have to worry about disabling it because it has already been removed, however if you do not have the possibility to upgrade your server yet then you will have to edit the php.ini editing the following flags thus:

; Magic quotes for incoming GET/POST/Cookie data.
magic_quotes_gpc=Off

; Magic quotes for runtime-generated data, e.g. data from SQL, from exec(), etc.
magic_quotes_runtime=Off

; Use Sybase-style magic quotes (escape ' with '' instead of \').
magic_quotes_sybase=Off

Documentation

• http://php.net/manual/en/security.magicquotes.php
• http://php.net/manual/en/security.magicquotes.what.php
• http://php.net/manual/en/security.magicquotes.why.php
• http://php.net/manual/en/security.magicquotes.whynot.php
• http://php.net/manual/en/security.magicquotes.disabling.php