When magic quotes is enabled, all form fields have their slashes stripped via $request->_variable's call to its type cast helper's recursive_set_var() function. The _FILES array does not add extra slashes to every field though, namely tmp_name is left as is. As a result, file uploads will fail since move_uploaded_file() is being called with an invalid source path (e.g. C:WINDOWSTempphpDA91.tmp instead of C:\WINDOWS\Temp\phpDA91.tmp).