Please be adviced, that if you downgrade from PHP 5.4 (in my case cpanel & whm) your magic_quotes are turned on, as the php.ini after downgrade had magic_quotes_gpc = Off, magic_quotes_runtime = Off and magic_quotes_sybase = Off all commented out as it is in PHP 5.4.
If you have Scripts that don't check if it is off or on you will have double escaped database entries.
- O que são Magic Quotes
- Porque nós usamos Magic Quotes
- Por que não usar Magic Quotes?
- Desabilitando Magic Quotes
Esta funcionalidade tornou-se OBSOLETA desde o PHP 5.3.0. Confiar nesta funcionalidade é altamente não recomendado.
Magic Quotes é um processo de inserção automática de caracteres de escape (\) em todos os dados indo para o script PHP. É preferível escrever código com essa opção desligada e adicionar esses caracteres manualmente quando necessário.
The very reason magic quotes are deprecated is that a one-size-fits-all approach to escaping/quoting is wrongheaded and downright dangerous. Different types of content have different special chars and different ways of escaping them, and what works in one tends to have side effects elsewhere. Any sample code, here or anywhere else, that pretends to work like magic quotes --or does a similar conversion for HTML, SQL, or anything else for that matter -- is similarly wrongheaded and similarly dangerous.
Magic quotes are not for security. They never have been. It's a convenience thing -- they exist so a PHP noob can fumble along and eventually write some mysql queries that kinda work, without having to learn about escaping/quoting data properly. They prevent a few accidental syntax errors, as is their job. But they won't stop a malicious and semi-knowledgeable attacker from trashing the PHP noob's database. And that poor noob may never even know how or why his database is now gone, because magic quotes (or his spiffy "i'm gonna escape everything" function) gave him a false sense of security. He never had to learn how to really handle untrusted input.
Data should be escaped where you need it escaped, and for the domain in which it will be used. (mysql_real_escape_string -- NOT addslashes! -- for MySQL (and that's only unless you have a clue and use prepared statements), htmlentities or htmlspecialchars for HTML, etc.) Anything else is doomed to failure.