Change default php.ini to magic_quotes_gpc = Off

[Alan B]

Perhaps WHB staff could address this.

PHP configuration on WHB servers has magic_quotes_gpc = On.
Is that a cPanel default, or is that something that WHB chooses?

If it's a choice, could WHB make the default magic_quotes_gpc = Off ?

From the PHP manual, and PHP Wiki:

Quote:

Why not to use Magic Quotes

Performance
Because not every piece of escaped data is inserted into a database, there is a performance loss for escaping all this data. Simply calling on the escaping functions (like addslashes()) at runtime is more efficient. Although php.ini-dist enables these directives by default, php.ini-recommended disables it. This recommendation is mainly due to performance reasons.

Inconvenience
Because not all data needs escaping, it's often annoying to see escaped data where it shouldn't be. For example, emailing from a form, and seeing a bunch of \' within the email. To fix, this may require excessive use of stripslashes().

Not all data that is supplied by the user is intended for insertion into a database. It may be rendered directly to the screen, stored in a session, or previewed before saving. This can result in backslashes being added where they are not wanted and being shown to the end user.

Security
Magic quotes also use the generic functionality provided by PHP's addslashes() function, which is not Unicode aware and still subject to SQL injection vulnerabilities in some multi-byte character encodings.

Removed from future versions, due to problems
In November 2005 the core PHP developers decided on account of these problems that the magic quotes feature would be removed from PHP 6.