W3docs
en
Log in

How can I replace the deprecated set_magic_quotes_runtime in php?

The set_magic_quotes_runtime function has been deprecated since PHP 5.3 and removed in PHP 7.0.

Tags

The set_magic_quotes_runtime function has been deprecated since PHP 5.3 and removed in PHP 7.0. If you are using this function in your code, you should replace it with context-specific escaping methods. Modern PHP requires you to handle escaping manually based on the data's destination (e.g., databases, HTML output, or URL parameters).

For database interactions, the recommended approach is to use prepared statements with placeholders, which handle escaping and quoting automatically. If you must quote a value manually, you can use the PDO::quote method. For example:

Example of escaping user input in PHP

<?php

$conn = new PDO('mysql:host=localhost;dbname=test', $user, $pass);
$input = "O'Reilly";
$safe_input = $conn->quote($input);

<div class="alert alert-info flex not-prose"> Watch a course <span class="hidden md:block">Watch a video course </span> Learn object oriented PHP</div>

Alternatively, you can use prepared statements with placeholders, which handle escaping and quoting automatically. For example:

Example of using prepared statements with placeholders to escape user input in PHP

<?php

$conn = new PDO('mysql:host=localhost;dbname=test', $user, $pass);
$input = "O'Reilly";
$stmt = $conn->prepare("SELECT * FROM table WHERE column = :value");
$stmt->bindValue(':value', $input);
$stmt->execute();

Finally, you can use the htmlspecialchars function to escape user input that is going to be displayed as HTML. This is important to prevent cross-site scripting (XSS) attacks. For URL parameters, use urlencode or rawurlencode to safely encode data for query strings.

Example of using htmlspecialchars() function to escape user input in PHP

<?php

// Define a string containing HTML and JavaScript code.
$input = "<script>alert('Hello')</script>";

// Use the htmlspecialchars function to convert special characters in the input string to their corresponding HTML entities.
// This is done to prevent the code from being executed as JavaScript code in the browser.
$safe_input = htmlspecialchars($input);

// Echo the resulting string to the browser.
// The special characters have been converted to their HTML entity equivalents, which means that the browser will display the string as text rather than executing it as code.
echo $safe_input; // This will output the string "&lt;script&gt;alert('Hello')&lt;/script&gt;"
Try it Yourself »