PHP magic_quotes_gpc is disabled
Description
This finding indicates that the PHP magic_quotes_gpc directive is disabled in the server configuration. Magic quotes was a legacy PHP feature (deprecated in PHP 5.3.0 and removed in PHP 5.4.0) that automatically escaped special characters in user input by applying addslashes() to GET, POST, and COOKIE data. While this feature provided a basic layer of protection against SQL injection attacks, it was an imperfect solution and has been removed from modern PHP versions. If your application is running on an older PHP version and relies on this feature for input sanitization, its absence may expose the application to injection vulnerabilities.
Remediation
Important: Magic quotes has been deprecated since PHP 5.3.0 and completely removed in PHP 5.4.0. The recommended approach is to upgrade to a modern PHP version and implement proper security practices rather than relying on this legacy feature.
Modern Secure Approach (Recommended):
1. Upgrade to PHP 7.4 or later (PHP 8.x preferred)
2. Use prepared statements with parameterized queries for all database operations
3. Implement input validation and output encoding appropriate to the context
Example using PDO prepared statements:
// Secure approach - use prepared statements
$stmt = $pdo->prepare('SELECT * FROM users WHERE username = :username');
$stmt->execute(['username' => $_POST['username']]);
$user = $stmt->fetch();
Legacy Systems Only:
If you must maintain a legacy PHP application (PHP 5.3 or earlier) and cannot immediately refactor the code, you can temporarily enable magic_quotes_gpc:
In php.ini:
magic_quotes_gpc = On
In .htaccess:
php_flag magic_quotes_gpc On
However, prioritize migrating away from magic quotes and implementing proper input validation and prepared statements as soon as possible.