magic_quotes_gpc On or Off

[Driesp]

Hello

As a webhoster, I am receiving many questions about how to disable magic_quotes_gpc.
A default installation of Joomla asks to disable magic_quotes_gpc.
We are running PHP 5.3

I am wondering, because the function is deprecated in PHP 5.3 ,
should I, as a webhoster, disable magic_quotes_gpc serverwide?

What could be the consequences to currently installed scripts / sites when disabling magic_quotes_gpc serverwide?

Currently my PHP.ini shows
;magic_quotes_gpc = Off
this seems to be default on all php 5.3 installs.
is there a reason for it? If yes, what is the reason?

 

[smtalk]

http://php.net/manual/en/security.magicquotes.php

This feature is deprecated in PHP 5.3 and completely removed in PHP 5.4.

 

[ccto]

In the past, magic_quotes_gpc was massively used against SQL injection attack, although the initial developer intends not to be used in this way.

If you have some old PHP scripts, or scripts written by PHP beginner, then those scripts may be vulnerable to this attack.

http://en.wikipedia.org/wiki/Magic_quotes

 

[Driesp]

So, actually, if I understand right
- magic_quotes_gpc is standard On in php.ini,
=> this was always the case (unless manually disabled)
- this setting (could??) protect against sql injections
- however it is deprecated it could still prevent some injections on PHP 5.3
- So, if I disable it in PHP 5.3, the 'protection' is off and this could be bad for old badly written code. (right??)
- Which also means, by updating to PHP 5.4 or 5.5 the 'protection' is completely off, because it was removed in these versions.

What is being done against sql injections in PHP 5.4 and later.
Should I be concerned about it, and send notifications to clients?