what is evil about magic quotes?

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
User avatar
pleigh
Forum Contributor
Posts: 445
Joined: Wed Jan 19, 2005 4:26 am

what is evil about magic quotes?

Post by pleigh »

i just like your opinion about magic quotes...there are articles saying that it is evil, an dincosistently, they provide or suggest codes that uses magic quotes...is the evilish thing about the .ini file turning it On by default, or its usage in the php script...i don't really get it...maybe this link can help --> http://www.webmasterstop.com/63.html
fastfingertips
Forum Contributor
Posts: 242
Joined: Sun Dec 28, 2003 1:40 am
Contact:

Post by fastfingertips »

You should start reading about injection (database injection) and i think that will help you to get a view about this.
User avatar
Christopher
Site Administrator
Posts: 13596
Joined: Wed Aug 25, 2004 7:54 pm
Location: New York, NY, US

Post by Christopher »

I'd say there are a couple of problems with magic_quotes:

1. They make you feel safer than you actually are. This is a similar quality to safe_mode.

2. Since it is an option, you must check whether it is on or off and your code must deal with it accordingly to write portable code.

3. Because they only do addslashes() they do not effectively escape all necessary characters. For example, each database has an escaping function specific to it for use when putting variables into SQL.
(#10850)
User avatar
pleigh
Forum Contributor
Posts: 445
Joined: Wed Jan 19, 2005 4:26 am

Post by pleigh »

what should i do??turn it off by default and call the function in my page??
User avatar
Christopher
Site Administrator
Posts: 13596
Joined: Wed Aug 25, 2004 7:54 pm
Location: New York, NY, US

Post by Christopher »

Turn it off, filter and validate all data from the Request, escape all data going to a database with the database specific function, and convert all htmlentities in all data to be displayed.
(#10850)
timvw
DevNet Master
Posts: 4897
Joined: Mon Jan 19, 2004 11:11 pm
Location: Leuven, Belgium

Post by timvw »

As already said, magic_quotes give you a false impression of being secure.
magic_quotes assumes that every sql-dbms uses quotes to escape quotes (which isn't true.)

So, it messes up your original data with no added value whatsoever.

Disable it. Validate all 'foreign' data. Prepare data for use in SQL/HTML/URL... with the appropriate functions.
User avatar
Oren
DevNet Resident
Posts: 1640
Joined: Fri Apr 07, 2006 5:13 am
Location: Israel

Post by Oren »

You may want to check viewtopic.php?t=43203&highlight=mysqlrealescapestring.

P.S I wouldn't call it "evil".
User avatar
Christopher
Site Administrator
Posts: 13596
Joined: Wed Aug 25, 2004 7:54 pm
Location: New York, NY, US

Post by Christopher »

Oren wrote:P.S I wouldn't call it "evil".
Evil is just the programmer way to say that something allows you to do the wrong thing too easily.
(#10850)
User avatar
neophyte
DevNet Resident
Posts: 1537
Joined: Tue Jan 20, 2004 4:58 pm
Location: Minnesota

Post by neophyte »

Magic quotes: doing to you in the name of doing for you. I leaned on it heavily early on in my php experience. Best to learn about it up front and turn it off. It's really the only way to get dependable results.
Ree
Forum Regular
Posts: 592
Joined: Fri Jun 10, 2005 1:43 am
Location: LT

Post by Ree »

Magic quotes needlessly adds one more problem to take care of besides all the other work you have to do. It's good to know it'll be finally removed in the future PHP versions.
Post Reply