I don't think I can explain it any better than the makers of PHP itself (with followup comments on that page): Why not to use Magic Quotes
- Portability: Assuming it to be on, or off, affects portability. Use
get_magic_quotes_gpc() to check for this, and code accordingly.
- Performance: Because not every piece of escaped data is inserted into a database, there is a performance loss for escaping all this data. Simply calling on the escaping functions (like
addslashes()) at runtime is more efficient. Although php.ini-development enables these directives by default, php.ini-production disables it. This recommendation is mainly due to performance reasons.
- Inconvenience: Because not all data needs escaping, it's often annoying to see escaped data where it shouldn't be. For example, emailing from a form, and seeing a bunch of ' within the email. To fix, this may require excessive use of
stripslashes().
Note - This feature has been DEPRECATED as of PHP 5.3.0 and REMOVED as of PHP 5.4.0.
与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
