The servers will now have PHP magic_quotes_gpc set to OFF by default for best security.

Magic Quotes will soon be a thing of the past and you are safer with it disabled.

If magic_quotes_gpc is set to OFF there will be a warning during a manual Joomla installation.

While usually not a concern, older PHP scripts may break.

How to Turn Magic Quotes On

( Globally for all directories )

Using php.ini EZConfig in cPanel

Look for this icon in cPanel (not available in all cPanels)php.ini EZConfig icon in cPanel

Use browser search to find magic_quotes_gpc in the EzConfig UI.

Enter on for magic_quotes_gpc

A php.ini file will created in the Home directory.

This will affect all directories (recursive).



The php.ini file is a text file. It can be created/edited in a text editor such as Notepad.

Create a text file named php.ini in the directory to be affected.

Put this line in the php.ini file.

magic_quotes_gpc = on

The php.ini file will only affect the files in the same folder. (not recursive) 



In a suPHP environment editing the .htaccess file is  also required:

Add the following to a .htaccess file in the same directory:

<IfModule mod_suphp.c>
        suPHP_ConfigPath /home/USERNAME/public_html/PATH/TO/DIRECTORY/php.ini
        <Files php.ini>
                order allow,deny
                deny from all

You will have to edit the "suPHP_ConfigPath" line to point to the proper php.ini file.


PHP Magic Quotes (magic_quotes_gpc) General Information


Magic Quotes is a process that automatically escapes incoming data to the PHP script. It's preferred to code with magic quotes off and to instead escape the data at runtime, as needed.

This feature has been DEPRECATED as of PHP 5.3.0 and REMOVED as of PHP 6.0.0. Relying on this feature is highly discouraged.

Security Implications

The magic quotes option was introduced to help protect developers from SQL injection attacks. It effectively executes addslashes() on all information received over GET, POST or COOKIE. Unfortunately this protection isn't perfect: there are a series of other characters that databases interpret as special not covered by this function. In addition, data not sent direct to databases must un-escaped before it can be used.


Because it's inconsistent and ineffective, it's recommended that magic_quotes_gpc be disabled. Rely on input filtering done by your scripts.

php.ini General Information



Best Canadian Web Host for Joomla

Joomla Web Hosting Canada RSS Feed