magic_quotes off - can code break?

Question

If I turn off magic_quotes in an environment where I did not wrote the code, how can I check if any problems may occur? For what do I have to check? Which functions may not work any more?

Answer 1

When magic_quotes turned on, Magic Quotes automatically performs an addslashes() on all form data submitted. It means that a [\] is placed before every ['], ["], [], or null in the data, so That's nice will be converted to That\'s nice automatically. This all happens before your coding even sees that data, so if you're just passing a string to the next page (not to database) it will print with slashes even though you may not want them at all.

Answer 2

Unfortunately, I don't think there's an easy answer. You'll want to check for any place where you're working directly with user input. If the code is simple enough, you can search for uses of $_GET and $_POST, but without at least a scanning code review, you're unlikely to find everything that way.

One thing I've had break a lot when I turn it off is sql insert/update queries someone had written that contained request parameters they had not properly escaped.

Answer 3

Magic quotes affects incoming data strings. Any place you use $_GET or $_POST or variables of that nature can be affected.

Basically, any place you accept data from the user.

Note: More importantly, you should look through all of your SQL queries and make sure that any input strings are escaped! Otherwise your code will be vulnerable to SQL injection.