Page 1 of 1
what is evil about magic quotes?
Posted: Fri Apr 21, 2006 3:22 am
by pleigh
i just like your opinion about magic quotes...there are articles saying that it is evil, an dincosistently, they provide or suggest codes that uses magic quotes...is the evilish thing about the .ini file turning it On by default, or its usage in the php script...i don't really get it...maybe this link can help -->
http://www.webmasterstop.com/63.html
Posted: Fri Apr 21, 2006 3:33 am
by fastfingertips
You should start reading about injection (database injection) and i think that will help you to get a view about this.
Posted: Fri Apr 21, 2006 3:34 am
by Christopher
I'd say there are a couple of problems with magic_quotes:
1. They make you feel safer than you actually are. This is a similar quality to safe_mode.
2. Since it is an option, you must check whether it is on or off and your code must deal with it accordingly to write portable code.
3. Because they only do addslashes() they do not effectively escape all necessary characters. For example, each database has an escaping function specific to it for use when putting variables into SQL.
Posted: Fri Apr 21, 2006 3:52 am
by pleigh
what should i do??turn it off by default and call the function in my page??
Posted: Fri Apr 21, 2006 4:23 am
by Christopher
Turn it off, filter and validate all data from the Request, escape all data going to a database with the database specific function, and convert all htmlentities in all data to be displayed.
Posted: Fri Apr 21, 2006 6:16 am
by timvw
As already said, magic_quotes give you a false impression of being secure.
magic_quotes assumes that every sql-dbms uses quotes to escape quotes (which isn't true.)
So, it messes up your original data with no added value whatsoever.
Disable it. Validate all 'foreign' data. Prepare data for use in SQL/HTML/URL... with the appropriate functions.
Posted: Fri Apr 21, 2006 8:02 am
by Oren
You may want to check
viewtopic.php?t=43203&highlight=mysqlrealescapestring.
P.S I wouldn't call it "evil".
Posted: Fri Apr 21, 2006 11:44 am
by Christopher
Oren wrote:P.S I wouldn't call it "evil".
Evil is just the programmer way to say that something allows you to do the wrong thing too easily.
Posted: Fri Apr 21, 2006 12:55 pm
by neophyte
Magic quotes: doing to you in the name of doing for you. I leaned on it heavily early on in my php experience. Best to learn about it up front and turn it off. It's really the only way to get dependable results.
Posted: Fri Apr 21, 2006 1:03 pm
by Ree
Magic quotes needlessly adds one more problem to take care of besides all the other work you have to do. It's good to know it'll be finally removed in the future PHP versions.