Disabling PHP Magic Quotes To Remove Slash Caused By mysql_real_escape_string

Question

I always got \ (back slash) from any variables which I put mysql_real_escape_string into. for example :

$string = mysql_real_escape_string($_GET['string']);
echo $string; //result : here\'s the text

and after I did some research on Google, some people says that this back-slash caused by server setting which has magic_quotes_gpc turned on. which I have this configuration too. I see it on my phpinfo(), magic_quotes_gpc = ON

my question is... Is it really safe to turn off this magic_quotes_gpc?
Because I'm using mysql_real_escape_string to prevent mysql injection. by turning magic_quotes_gpc off, I'm afraid this will cause my server 'less powerful'.

Answer 1

It sounds to me like you need to have some fairly basic tuition on these subjects. You've clearly been reading up on the internet and following examples, but without actually understanding why the examples are doing what they're doing, or how they work. Copying examples without understanding them is not a good thing.

So at the core you need some deeper understanding of the topics, which is probably too much for a site like this to provide (SO is more about helping people solve specific problems than teaching them whole subjects, though you will learn a lot from browsing the site).

However, I will address some of your points:

• Magic Quotes is an obsolete PHP feature; in fact, it's been removed entirely from the most recent versions of PHP. Disabling it will not make your server "less powerful", or anything of the sort. In fact, it is recommended not to use it.

• All the functions beginning with mysql_ have also been deprecated and are not recommended any more. The newer alternatives are the mysqli_xxx() functions or the PDO library. If you're following tutorials using the old functions, you should find a newer tutorial.

• The mysql_real_escape_string() function (and the mysqli/PDO equivalents) is intended to add a slash to your string where it finds quote characters or other characters that would cause a SQL statement to be invalid. Finding a slash in your string after running this function is perfectly normal and correct. This is called "escaping" the string (hence the name of the function). The "escaped" version of the string should only be used in the context of building a SQL query.

Answer 2

As long as your code takes care of properly escaping certain strings (like by calling mysql_real_escape_string() etc) you can disable this feature in php.ini. In fact you shall always ensure your running environment is set to parameters you need by either tuning php.ini or using .htaccess to set them up for particular vhost.

Relying on all these magic_... things is broken from the start because once it is turned off you basically got problem. Usually unnoticed, unless you get hacked.

Answer 3

What is it that you're expecting mysql_real_escape_string to do?

It is escaping the string, so here\'s the text is the expected output. This is nothing to do with magic quotes, which would already have escaped the string, giving you here\\'s the text as the result after calling mysql_real_escape_string.

---

Of course, as was already mentioned in comments, you shouldn't be using the MySQL_* family of methods within PHP anymore as they are deprecated. Consider using MySQLi or PDO instead, along with prepared statements.