PHP magic quotes

Nov 24, 2010 · Follow on Twitter and Mastodon php

About a year ago, I had problems when sending data to a php page, using AJAX. To be able to unpack the data, I had to use stripslashes. Since it seemed to work, I was happy…until the world exploded.

I then developed a new web site for a company about a month ago, and just noticed that when posting HTML via AJAX in production, all line feeds turns into u000a:

Magic quotes

This only happened on their production server, not anywhere else. Then, yesterday, it started appeared on one of my production servers as well.

I first didn’t understand what happened, but realized that it must have something to do with the server’s php version or configuration. I had a chat with a friend and came up with the solution.

Magic quotes.

The purpose of magic quotes is to protect web sites from script injections, but since it didn’t work all that well, the feature is now deprecated. What it does is wrapping everything in escape slashes, which is why I had to use stripslashes when sending data with AJAX.

However, when magic quotes are disabled, stripping slashes will instead destroy the escaped line break, which gives the result that can be seen in the image above.

So, I am now disabling magic quotes for all sites, using this .htaccess line:

php_flag magic_quotes_gpc off

Thanks Mattias Sundberg! It works like a charm!

Discussions & More

Please share any ideas, feedback or comments you may have in the Disqus section below, or by replying on Twitter or Mastodon..

If you found this text interesting, make sure to follow me on Twitter and Mastodon for more content like this, and to be notified when new content is published.

If you like & want to support my work, please consider sponsoring me on GitHub Sponsors.