Yes, it’s more of the famous ‘what do I do about magic_quotes’ questions.
Anyways, here we go:
I’ve been a PHP developer for about a year now, and have grown to detest
magic_quotes for numerous reasons. So, in my applications now I simply use
.htaccess to turn magic_quotes_gpc off and I escape as needed from there.
My problem however has become what to do for FULLY portable applications.
I’m currently writing an XML-based PHP application that will be using a
MySQL backend, and going by my logic that I normally use (turning magic
quotes off via htaccess) I might run into some problems. Basically, this
application needs to be able to move to ANY hosting provider with very
So I thought “Hmm, ok, well I’ll just run a ‘get_magic_quotes_gpc()’ check
and escape where magic quotes are off. This shouldn’t cause a problem with
my own code because I’ve turned magic_quotes off anyways.
Problem is the ‘get_magic_quotes_gpc()’ function doesn’t seem able to pickup
the htaccess directive that turns them off, so it is always reported on.
This basically traps me into not being able to check if they’re on or off,
or simply counting on them for my own application and leaving them on (I
have no access to the .ini to turn them off at all).
Worse yet, on the other side – if I go with my .htaccess and just always
turn them off like I have been doing, this will come back to bite me if we
have to put this application on an IIS server where turning them off is not
an option. From what I understand, there’s no way to turn them off at
Any ideas on the best way to handle this?