what is evil about magic quotes?
Moderator: General Moderators
what is evil about magic quotes?
i just like your opinion about magic quotes...there are articles saying that it is evil, an dincosistently, they provide or suggest codes that uses magic quotes...is the evilish thing about the .ini file turning it On by default, or its usage in the php script...i don't really get it...maybe this link can help --> http://www.webmasterstop.com/63.html
-
fastfingertips
- Forum Contributor
- Posts: 242
- Joined: Sun Dec 28, 2003 1:40 am
- Contact:
- Christopher
- Site Administrator
- Posts: 13596
- Joined: Wed Aug 25, 2004 7:54 pm
- Location: New York, NY, US
I'd say there are a couple of problems with magic_quotes:
1. They make you feel safer than you actually are. This is a similar quality to safe_mode.
2. Since it is an option, you must check whether it is on or off and your code must deal with it accordingly to write portable code.
3. Because they only do addslashes() they do not effectively escape all necessary characters. For example, each database has an escaping function specific to it for use when putting variables into SQL.
1. They make you feel safer than you actually are. This is a similar quality to safe_mode.
2. Since it is an option, you must check whether it is on or off and your code must deal with it accordingly to write portable code.
3. Because they only do addslashes() they do not effectively escape all necessary characters. For example, each database has an escaping function specific to it for use when putting variables into SQL.
(#10850)
- Christopher
- Site Administrator
- Posts: 13596
- Joined: Wed Aug 25, 2004 7:54 pm
- Location: New York, NY, US
As already said, magic_quotes give you a false impression of being secure.
magic_quotes assumes that every sql-dbms uses quotes to escape quotes (which isn't true.)
So, it messes up your original data with no added value whatsoever.
Disable it. Validate all 'foreign' data. Prepare data for use in SQL/HTML/URL... with the appropriate functions.
magic_quotes assumes that every sql-dbms uses quotes to escape quotes (which isn't true.)
So, it messes up your original data with no added value whatsoever.
Disable it. Validate all 'foreign' data. Prepare data for use in SQL/HTML/URL... with the appropriate functions.
You may want to check viewtopic.php?t=43203&highlight=mysqlrealescapestring.
P.S I wouldn't call it "evil".
P.S I wouldn't call it "evil".
- Christopher
- Site Administrator
- Posts: 13596
- Joined: Wed Aug 25, 2004 7:54 pm
- Location: New York, NY, US