The magic quotes setting allowed for ease of use when it came to putting user input into a database. When this setting is on, GET, POST, and COOKIE data are all escaped with backslashes (see addslashes()).

Of course, the problem comes in when you don’t want to put that data into a database. Perhaps you want to display it back to the user or place it in an email or file. Then you need to remove the slashes and escape it properly for its true destination.

That’s what we need to remember. When you send data out, it needs to be escaped for its destination. Put another way: escape output. Magic quotes is escaping the input and assuming the destination. Consider it a hack that was useful at the time but we can do better.

Input is to be filtered and validated not escaped. So turn off magic quotes on your developing environment if you haven’t already and take some time to test all your old code. Some of it may break. Find out now because in the future you won’t have a choice. Magic quotes will be gone by PHP 6.0 and emulating it at the start of every file is not the way to go.