Geek Answers Handbook

Why is rotating magic_quotes_gpc considered bad practice?

Why is converting magic_quotes_gpc to PHP considered bad practice?

+3
source share
6 answers

I donโ€™t think I can explain it better than the creators of PHP itself (with the following comments on this page): Why not use Magic Quotes

  • Portability. Assuming it is on or off, it affects portability. Use get_magic_quotes_gpc() to check this and code accordingly.
  • Performance. Since not every part of the shielded data is inserted into each database, this leads to a loss of performance for shielding all this data. Simple use of escaping functions (e.g. addslashes() ) at runtime is more efficient. Although php.ini-development allows these directives by default, php.ini-production disables it. This recommendation is mainly due to performance considerations.
  • Inconvenience: since not all data requires shielding, it is often unpleasant to see shielded data where it should not be. For example, e-mail from a form and seeing a bunch of "in the letter." To correct this, excessive use of stripslashes() may be required.

Note. This function has been DEPRECATED since PHP 5.3.0 and removed from PHP 5.4.0.

+13
source

According to the article What are Magic Quotes GPC (magic_quotes_gpc) in PHP and php.ini? There are many disadvantages:

  • Cases in which forms are submitted are sent back to the browser must have slashes removed manually by calling stripslashes ().
  • If magic quotes are ever disabled for this server, or the code moves to a server where magic quotes are not turned on, your scripts will fail. Or, even worse, do not succumb to immediate immediate action and exhibit strange behavior.
  • Any string operations on the presented variables, even simple "if" instructions, should take into account the possibility of warping slashes in the content.
  • Magic quotes give rise to developers' negligence. The exception to the variables inserted in the SQL query (in my opinion) is what the developer should know and think. Don't just assume that everything is dandy.
+3
source

Because someone can move your script to a server where this option is not enabled, instantly opening hundreds of holes in your application. In addition, too many people believe that enabling magic quotes makes your application safe. Is not. You still need to study and check every input element that goes into your application. Even if you do not have problems with the quote, you can still encounter scripting problems on different sites, etc.

The fact that the function is being removed in future versions of PHP, despite this.

+2
source

Because leaving it makes you write more secure code.

If Mr. O'Malley leaves to register on your site, magic_quotes_gpc will turn his last name into O \ Malley, and when you insert it into the database, everything will be fine.

The problem is that magic_quotes come from addlashes - which doesn't necessarily work like escaping for your database system. O'Malley may work, but it is also possible to bypass this escaping and perform SQL injection.

If magic_quotes is not enabled, you will get an O'Malley string and it will break the SQL statement, for example

 INSERT INTO users (...) VALUES (...,'O'Malley',...)

Note that the line actually ends after O.

In addition, this is better: if you, for example, sent an email with his name, you would have to do strip flippers - for no reason. If you do not, you will receive an email from Mr. O'Malley.

(Of course, for REALLY safe database processing code, you want to use parameterized queries, as this is the best way to prevent SQL injection. And if you parameterize, you do not want the slash anyway, and it is a waste of time to add PHP .)

+2
source

The โ€œmagic quotesโ€ were attempts by PHP in the hand, not allowing developers to shoot in the foot using SQL injection when they did not know anything better. It is deprecated in PHP 5.3 and will be removed in PHP 6.

I say that itโ€™s better to be explicit and avoid what should be avoided, rather than avoiding everything and doing unnecessary things that will never be put into the database. Magic quotes create as many (or more) problems than it solves, trying to protect people who need to know better.

http://us3.php.net/manual/en/security.magicquotes.php

+1
source

Very simple question.
Imagine that you want to send user data by email. Or paste the cookie username into the form input. Do you think it would be nice to have names like Bob? Buffalo? I do not think so

0
source

More articles:


All Articles