Magic quotes are inherently broken. They were meant to sanitize input to the PHP script, but without knowing how that input will be used it’s impossible to sanitize correctly. If anything, you’re better off checking if magic quotes are enabled, then calling stripslashes() on $_GET/$_POST/$_COOKIES/$_REQUEST, and then sanitizing your variables at the point where you’re using it somewhere. E.g. urlencode() if you’re using it in a URL, htmlentities() if you’re printing it back to a web page, or using your database driver’s escaping function if you’re storing it to a database. Note those input arrays could contain sub-arrays so you might need to write a function can recurse into the sub-arrays to strip those slashes too.
The PHP man page on magic quotes agrees:
“This feature has been DEPRECATED as
of PHP 5.3.0 and REMOVED as of PHP
5.4.0. Relying on this feature is highly discouraged. Magic Quotes is a
process that automagically escapes
incoming data to the PHP script. It’s
preferred to code with magic quotes
off and to instead escape the data at
runtime, as needed.”