The problem isn't whether it's on or off per se.

The problem is that if you have it on, and rely on it being on, then your code could break if it's ever run on a server with magic quotes turned off, and more importantly you'll be vulnerable to SQL injection exploits.

>> and more importantly you'll be vulnerable to SQL injection exploits.

Vulnerable to SQL injection because GPC is on?

Or vulnerable to SQL injection because GPC is off, and you're script thinks it is on (relies on it being turned on)?

Couldn't a simple act like mapping the GET, POST, and COOKIE data through a function to add slashes if GPC is off, eliminate the need to worry if its on or off? Something like:

// handle magic_quotes_gpc turned off.
if (!get_magic_quotes_gpc()) {
$_GET = array_map(array('String', 'magicQuotesGPC'), $_GET);
$_POST = array_map(array('String', 'magicQuotesGPC'), $_POST);
$_COOKIE = array_map(array('String', 'magicQuotesGPC'), $_COOKIE);
}

Class String {
 function magicQuotesGPC($element) {
 if (is_array($element)) {
  return array_map(array('String', 'magicQuotesGPC'), $element);
 } else {
  return addslashes($element);
 }
 }
}

Or would you still have the same problem?

I'm just still not sure how adding slashes to your input data superglobals makes you vulnerable to injection attacks.

the biggest problem is that it changes the data that the user has input. Now I have no idea what they sent and things become more unpredictable.

Learning how to clean data is more difficult when there is some phantom process trying to help you out. Kind of like doing anything with microsoft products, always hard to tell what is actually happening because they are always trying to help.

We covered a bunch of these things here
PHP Security [webmasterworld.com]

>> Now I have no idea what they sent and things become more unpredictable.

That is like saying, "I do `$var = htmlspecialchars($var)`, and now I have no idea what $var is". If that is the case, it is only because one doesn't understand what htmlspecialchars does.

One would only not know what the data was if they did not understand what the function does to the data.

Example:
If you have GPC enabled (and write your code as if it is enabled), and code your application to add slashes for all incoming data on systems with GPC disabled, you do know what the data is, unless you don't understand how adding slashes works. But the fact that you added them for all systems with GPC disabled shows that you in fact do know what the input data is.

In the same manner, if you have GPC disabled (and write your code as if it is disabled), and code your application to strip slashes for all incoming data on systems with GPC enabled, you know what the data is. The fact that you knew you had to strip slashes on GPC disabled systems shows that you know what the data is.

In any case, to be sure one's app would work on all systems regardless of the GPC settings, one would either have to:
A) code as if GPC is enabled, and make accommodations if it is disabled, or
B) code as if GPC is disabled, and make accommodations if it is enabled.

And whether A or B, that just seems like a programming style preference to me, and not a security issue.

You're right. But most people will think - hey! The server is doing all the security issues all by itself, let's not worry about it.
And here you've got yourself a problem, cause server may change (by admins free will), and he will not change the code as well.

The biggest security issue is never in hardware or software. It's always in people! (See the history of great hackers). There's even a saying: If you want to imagine infinty, then imagine human stupidity. :)

Best regards
Michal Cibor