The preferable is to actually somehow inform the person who is using the script that there is some configuration problem, the reason is the performance.
Imagine that the script is receiving a lot of data via $_POST
(and even multidimensional), if using stripslashes
for each vector level in $_POST
and you have a lot of data this may make the script take time to process in addition to in some cases considerably increase memory consumption.
The Exception
example can be an output, or even a custom message, however the important thing is to always turn off the magic_quotes_gpc
and if possible upgrade PHP.
What is the magic_quotes_gpc
Warning
This feature has become OBSOLETE since PHP 5.3.0 and has been REMOVED since PHP 5.4.0.
When connected, any '
(single quotes), "
(double quotes), \
(backslash) and NULL
a backslash will be placed before ('
flipped \'
) automatically. This is identical to what the function addslashes()
ago.
Because we used magic_quotes_gpc
The function helped some beginners build better code in an attempt to be safer. But when dealing with code that uses this feature it is better to update the code than to activate Magic Quotes. So why does this exist? It was to help prevent SQL injection. Today’s developers are more aware of security and end up using database-specific mechanisms to escape and/or prepared commands rather than depending on things like Magical Quotes, for example:
Here are some tips on how to work with mysql:
Because we should not use magic_quotes_gpc
Portability, as if the magic_quotes_gpc
is on or off this may affect the portability of the code, for example, new versions of PHP, from 5.4 even calling on php.ini the magic_quotes_gpc
you won’t be able to use it because it has been removed.
Performance, when connected it will escape all data from GET
, POST
, COOKIE
and REQUEST
and this can be a little costly to the server depending on the amount of data that for example the POST
transports and also in case of multidimensional arrays (which is supported by GET
and by POST
).
It is inconvenient, because not all places where we use the data need to be escaped and this can cause some problems, this will force you to make excessive use of the stripslashes
.
Disabling
If you are using PHP5.4+ you do not have to worry about disabling it because it has already been removed, however if you do not have the possibility to upgrade your server yet then you will have to edit the php.ini editing the following flags
thus:
; Magic quotes for incoming GET/POST/Cookie data.
magic_quotes_gpc=Off
; Magic quotes for runtime-generated data, e.g. data from SQL, from exec(), etc.
magic_quotes_runtime=Off
; Use Sybase-style magic quotes (escape ' with '' instead of \').
magic_quotes_sybase=Off
Documentation
Believe it or not, Disable Magic Quotes GPC, do not believe that developers are aware of security :P. magic_quotes_gpc and Register globals are two totally dubious features. + 1
– rray
@rray Really is a dubious feature, I do not know if he edited the question, but there he asks "disable", if the joomla asks to disable it is likely that he already work with some security?
– Guilherme Nascimento