Home | MySQL Russian Manual | MySQL Manual | Apache HTTP Server Rus Documentation | Apache HTTP Server Documentation | downloads | faq

search for in the  Language: Russian

Disabling Magic Quotes


This feature has been DEPRECATED as of PHP 5.3.0. Relying on this feature is highly discouraged.

The magic_quotes_gpc directive may only be disabled at the system level, and not at runtime. In otherwords, use of ini_set() is not an option.

Example #1 Disabling magic quotes server side

An example that sets the value of these directives to Off in php.ini. For additional details, read the manual section titled How to change configuration settings.

; Magic quotes

; Magic quotes for incoming GET/POST/Cookie data.
magic_quotes_gpc = Off

; Magic quotes for runtime-generated data, e.g. data from SQL, from exec(), etc.
magic_quotes_runtime = Off

; Use Sybase-style magic quotes (escape ' with '' instead of \').
magic_quotes_sybase = Off

If access to the server configuration is unavailable, use of .htaccess is also an option. For example:

php_flag magic_quotes_gpc Off

In the interest of writing portable code (code that works in any environment), like if setting at the server level is not possible, here's an example to disable magic_quotes_gpc at runtime. This method is inefficient so it's preferred to instead set the appropriate directives elsewhere.

Example #2 Disabling magic quotes at runtime

if (get_magic_quotes_gpc()) {
$process = array(&$_GET, &$_POST, &$_COOKIE, &$_REQUEST);
    while (list(
$key$val) = each($process)) {
        foreach (
$val as $k => $v) {
            if (
is_array($v)) {
$process[$key][stripslashes($k)] = $v;
$process[] = &$process[$key][stripslashes($k)];
            } else {
$process[$key][stripslashes($k)] = stripslashes($v);

User Contributed Notes
Disabling Magic Quotes
metala at metala dot org
21-Jun-2009 10:38
I have recently found out that magic quotes affects not only the values of the GPC arrays, but also the keys.

For now, my way to solve with the problem is:

if (get_magic_quotes_gpc()) {
magicQuotes_awStripslashes(&$value, $key) {$value = stripslashes($value);}
$gpc = array(&$_GET, &$_POST, &$_COOKIE, &$_REQUEST);
array_walk_recursive($gpc, 'magicQuotes_awStripslashes');

Unfortunately it doesn't fix the keys... and cannot determinate if the slashes are already stripped.
booboogotu at gmail dot com
17-Jun-2009 10:46
A php5 way:

if (get_magic_quotes_gpc()) {
$value = stripslashes($value);
array_walk_recursive($_GET, 'stripslashes_gpc');
array_walk_recursive($_POST, 'stripslashes_gpc');
array_walk_recursive($_COOKIE, 'stripslashes_gpc');
array_walk_recursive($_REQUEST, 'stripslashes_gpc');
stuart at horuskol dot co dot uk
25-Apr-2008 08:26
I have discovered that my host doesn't like either of the following directives in the .htaccess file:

php_flag magic_quotes_gpc Off
php_value magic_quotes_gpc Off

However, there is another way to disable this setting even if you don't have access to the server configuration - you can put a php.ini file in the directory where your scripts are with the directive:

magic_quotes_gpc = Off

However, these does not propogate unlike  .htaccess rules, so if you launch from a sub-directory, you need the php.ini file in each directory you have as script entry points.
17-Dec-2006 08:20
PHP's magic quotes function has the strange behavior of not adding slashes to top level keys in GPC key/value pairs but adding the slashes in deeper level keys. To demonstrate, a URI of:

array("a'b" => array("c\'d" => "e\'f"))

The current example for removing magic quotes does not do anything to keys, so after running stripslashes_deep, you would end up with:
array("a'b" => array("c\'d" => "e'f"))

Which, needless to say, is wrong. As if you had magic quotes off, it would have been:
array("a'b" => array("c'd" => "e'f"))

I have written a snippet of code compatible with PHP 4.0.0 and above that handles this correctly:

if (get_magic_quotes_gpc()) {
    function undoMagicQuotes($array, $topLevel=true) {
        $newArray = array();
        foreach($array as $key => $value) {
            if (!$topLevel) {
                $key = stripslashes($key);
            if (is_array($value)) {
                $newArray[$key] = undoMagicQuotes($value, false);
            else {
                $newArray[$key] = stripslashes($value);
        return $newArray;
    $_GET = undoMagicQuotes($_GET);
    $_POST = undoMagicQuotes($_POST);
    $_COOKIE = undoMagicQuotes($_COOKIE);
    $_REQUEST = undoMagicQuotes($_REQUEST);
25-Nov-2006 03:10
If php_flag magic_quotes_gpc off does not work
Use php_value magic_quotes_gpc off
insteadin your .htaccess file
08-Sep-2006 06:44
The function parse_str() (http://us3.php.net/manual/en/function.parse-str.php) is also affected by magic_quotes_gpc, so if that function is called anywhere, stripslashes_deep won't be sufficient by itself.
20-Aug-2006 12:18
The function stripslashes_deep() ignores slashes in the keys

For example a query string like this: ?foo'bar=baz'bal

Output of var_dump($_GET) is:

array(1) {
  string(8) "baz\'bal"

after stripslashes_deep():

array(1) {
  string(7) "baz'bal"

If you want the keys to be stripslashed too, you have to unset() the addslahed key and to add a stripslashed version. But keep in mind that this will change the order of the array.

credits | contact