For PHP there's a default configuration (if an entry is not defined), the php.ini file, and the runtime configuration. You can't edit the php.ini file and restart the server without usually being root or a similar privileged user. You can however individually for each script unless disabled, set whether magic_quotes should be enabled for that particular script. (See php.net for more information.)
What I recommend is that you download a copy of the web application to your local machine and review the source code, as reviewing it on the server may be a bit complicated though far from impossible. (Avoid using editors like nano and vim, use cat to read, or cp to move.)
Look for database credentials in the configuration file for the web application you're exploiting, read /etc/passwd if you can and attempt to guess the passwords for user accounts that seems allowed to log in. (This depends on the SSH and / or FTP config, depending on what you're trying to log into.) Use the most common passwords, but only do this if you're allowed to.
But your next step is to dive into the database if it uses that, as the credentials will have to be stored somewhere unless everyone is allowed to connect. If you're lucky, the application runs as root and you can use load_file() or INTO OUTFILE and other commands on the system. (I assume it's a MySQL database in this case.)
Look for vulnerabilities in all services running, both those that have networking enabled, but also those that runs in local sockets, and so forth. Kernel vulnerabilities are often the first thing script kiddies and blackhats try to exploit if the application is configured correct. If you need to compile a binary, but can't on the target system, compile it on your own identical operating system and upload it to the target host. If only a perl script is available for a particular vulnerability, convert it manually to e.g. python in case perl is not available. (Or use a wrapper in case that's available.)
That's pretty much some of the best advice I can give, but if you got remote code execution you can inject backdoors into the web application and perform man in the middle attacks, serve malware from their domain, and much more, so compromising the web application alone and getting remote code execution is pretty serious already.