Sep 08

PHP Code Security Part 6

By jason PHP World Add comments

Magic Quotes:

What are Magic Quotes:

Magic Quotes is a process that automagically escapes incoming data to the PHP script. It’s preferred to code with magic quotes off and to instead escape the data at runtime, as needed.

Why did we use Magic Quotes:

There is no reason to use magic quotes because they are no longer a supported part of PHP. However, they did exist and did help a few beginners blissfully and unknowingly write better (more secure) code. But, when dealing with code that relies upon this behavior it’s better to update the code instead of turning magic quotes on. So why did this feature exist? Simple, to help prevent SQL Injection. Today developers are better aware of security and end up using database specific escaping mechanisms and/or prepared statements instead of relying upon features like magical quotes.

Why not to use Magic Quotes:

  • Portability Assuming it to be on, or off, affects portability. Use get_magic_quotes_gpc() to check for this, and code accordingly.
  • Performance Because not every piece of escaped data is inserted into a database, there is a performance loss for escaping all this data. Simply calling on the escaping functions (like addslashes()) at runtime is more efficient. Although php.ini-dist enables these directives by default, php.ini-recommended disables it. This recommendation is mainly due to performance reasons.
  • Inconvenience Because not all data needs escaping, it’s often annoying to see escaped data where it shouldn’t be. For example, emailing from a form, and seeing a bunch of \’ within the email. To fix, this may require excessive use of stripslashes().
    • Disabling Magic Quotes:

    The magic_quotes_gpc directive may only be disabled at the system level, and not at runtime. In otherwords, use of ini_set() is not an option.

    Example #1 Disabling magic quotes server side

    An example that sets the value of these directives to Off in php.ini. For additional details, read the manual section titled How to change configuration settings.

    ; Magic quotes ; ; Magic quotes for incoming GET/POST/Cookie data. magic_quotes_gpc = Off ; Magic quotes for runtime-generated data, e.g. data from SQL, from exec(), etc. magic_quotes_runtime = Off ; Use Sybase-style magic quotes (escape ‘ with ” instead of \’). magic_quotes_sybase = Off

    If access to the server configuration is unavailable, use of .htaccess is also an option. For example: 

    php_flag magic_quotes_gpc Off

    In the interest of writing portable code (code that works in any environment), like if setting at the server level is not possible, here’s an example to disable magic_quotes_gpc at runtime. This method is inefficient so it’s preferred to instead set the appropriate directives elsewhere.

    Example #2 Disabling magic quotes at runtime

    <?php

    if (get_magic_quotes_gpc()) {

        function stripslashes_deep($value)

        {

    $value = is_array($value) ?

    array_map('stripslashes_deep', $value) :

    stripslashes($value);

            return $value;

        }

    $_POST = array_map('stripslashes_deep', $_POST);

    $_GET = array_map('stripslashes_deep', $_GET);

    $_COOKIE = array_map('stripslashes_deep', $_COOKIE);

    $_REQUEST = array_map('stripslashes_deep', $_REQUEST);

    }

    ?>

    Related Posts

    2 Responses to “PHP Code Security Part 6”

    1. jason says:
      09/12/2009 at 8:47 pm

      great,welcom.

    2. Nadine says:
      09/12/2009 at 4:44 pm

      Hello,
      Thank you! I would now go on this blog every day!
      Nadine

    Leave a Reply

    preload preload preload