magic_quotes_gpc

[timgerr]

I am building a calendar application and installing the software It says that magic quotes are off. I have been reading about magic quotes and some people say turn them on and others say turn them off. What is your opinion? Should I turn them on or off and why?

Thanks,
Timgerr

-How important does a person have to be before they are considered assassinated instead of just murdered?
-Need more cow bell!!!

 

[jpadie]

turn them off. and make sure that magic_quotes_runtime is turned off too.

why?

+ php is a portable platform and that is its strength. If you write code that requires a particular directive to be set in php.ini then you reduce that portability.
+ these automagic functions remove 'control' from the developer. ideally you, as a developer, will control all output and input from your application.
+ you may want to do form validation in your scripts. for example you might want to ensure that a select box has returned one of the permitted values. Let's say that value is O'Byrne. if you check for O'Byrne then you'll get a false return because php will present the variable as O\'Byrne with magic_quotes turned on.
+ Although magic quotes may be handy for mysql, it is distinctly not useful for many other databases (sybase, sqlite etc). If using another database you will have to unescape the magic_quotes and redo them.
+ Even with mysql, the preferred route is now to use mysql_real_escape_string() rather than the slash approach of magic_quotes as this takes into account the character set of the underlying database.
+ The PHP manual itself says

It's preferred to code with magic quotes off and to instead escape the data at runtime, as needed.

+ It further says that the magic quotes feature is deprecated and will be removed as of php6.

in short - i can't think of a single good reason ever to use magic_quotes.