Magic quotes explained

Magic quotes was a feature of the PHP scripting language, wherein strings are automatically escaped - special characters are prefixed with a backslash - before being passed on. It was introduced to help newcomers write functioning SQL commands without requiring manual escaping. It was later described as intended to prevent inexperienced developers from writing code that was vulnerable to SQL injection attacks.

This feature was officially deprecated as of PHP 5.3.0 and removed in PHP 5.4, due to security concerns.[1]

Concept

The current revision of the PHP manual mentions that the rationale behind magic quotes was to "help [prevent] code written by beginners from being dangerous."[2] It was however originally introduced in PHP 2 as a php.h compile-time setting for msql, only escaping single quotes, "making it easier to pass form data directly to msql queries".[3] It originally was intended as a "convenience feature, not as [a] security feature."[4] [5]

The use scope for magic quotes was expanded in PHP 3. Single quotes, double quotes, backslashes and null characters in all user-supplied data all have a backslash prepended to them before being passed to the script in the $_GET, $_REQUEST, $_POST and $_COOKIE global variables. Developers can then in theory use string concatenation to construct safe SQL queries with data provided by the user. (This was most accurate when PHP 2 and PHP 3 were current, since the primary supported databases allowed only 1-byte character sets.)

Criticism

Magic quotes were enabled by default in new installations of PHP 3 and 4, but could be disabled through the magic_quotes_gpc configuration directive. Since the operation of magic quotes was behind the scenes and not immediately obvious, developers may have been unaware of their existence and the potential problems that they could introduce. The PHP documentation pointed out several pitfalls and recommended that, despite being enabled by default, they should be disabled.[6]

Problems with magic quotes included:

In November 2005 the core PHP developers decided that because of these problems, the magic quotes feature would be removed from PHP 6.[10] When development of PHP 6 stalled and development continued on the 5.x branch instead, the feature was deprecated in PHP 5.3.0 and removed in 5.4.

Other approaches

See also

External links

Notes and References

  1. Web site: Magic Quotes . PHP Manual. 2014-01-17. PHP.net.
  2. Web site: PHP:Why use magic quotes?. PHP documentation. 2007-02-19.
  3. Web site: If the MAGIC_QUOTES variable is defined in the php.h file then these quotes will be automatically escaped making it easier to pass form data directly to msql queries.. 2011-03-27.
  4. Web site: Magic Quotes is oft-understood, even by journeymen PHP programmers.
  5. Web site: Re: [PHP3] what are magic_quotes?]. PHP-dev mailing list. 1999-08-27 . 2011-01-17.
  6. Web site: PHP:Why not to use magic quotes. PHP documentation. 2007-02-19.
  7. Web site: Quotation marks are double escaped when editing a comment. WordPress issue tracker. 2007-02-19.
  8. Web site: addslashes versus mysql_real_escape_string. Chris Shiflett. 2007-02-19.
  9. Web site: Changes in release 5.0.22 (24 May 2006). MySQL AB. MySQL 5.0 Reference Manual. 2007-02-19. https://web.archive.org/web/20070222162435/http://dev.mysql.com/doc/refman/5.0/en/news-5-0-22.html. 22 February 2007. dead.
  10. Web site: Minutes PHP Developers Meeting. PHP Group. 2005-11-12. 2007-02-19.
  11. Web site: Introduction to Perl's Taint Mode. Dan Ragle. webreference.com. 2006-04-18. 2007-03-21.
  12. Web site: Locking Ruby in the Safe . https://web.archive.org/web/20090530082550/http://www.rubycentral.com/book/taint.html . Programming Ruby . 2014-05-21 . 2009-05-30.
  13. Web site: Making Wrong Code Look Wrong. Joel on Software: Painless Software Management. Joel Spolsky. 2005-05-11. 2007-02-19.