it's not php's fault. magic_quotes works by adding single backslash to escape special character. (this bug is actually be used in sql injection). if the exploit works it's the code fault, not php. what's the permission of /etc/passwd ?? it should not be able to be viewed by other users besides root and toor. if you're talking about php "index.php?page=/etc/passwd\0" which will barely include /etc/passwd, it's the author's fault. anyway, if you talk about php "index.php?act=more%20/etc/passwd\0" which will view the content of /etc/passwd, then your script will do nothing.