magic quotes
   HOME

TheInfoList



OR:

Magic quotes was a feature of the
PHP PHP is a general-purpose scripting language geared toward web development. It was originally created by Danish-Canadian programmer Rasmus Lerdorf in 1993 and released in 1995. The PHP reference implementation is now produced by The PHP Group. ...
scripting language A scripting language or script language is a programming language that is used to manipulate, customize, and automate the facilities of an existing system. Scripting languages are usually interpreted at runtime rather than compiled. A scripting ...
, wherein strings are automatically escaped—special characters are prefixed with a
backslash The backslash is a typographical mark used mainly in computing and mathematics. It is the mirror image of the common slash . It is a relatively recent mark, first documented in the 1930s. History , efforts to identify either the origin of ...
—before being passed on. It was introduced to help newcomers write functioning SQL commands without requiring manual escaping. It was later described as intended to prevent inexperienced developers from writing code that was vulnerable to
SQL injection In computing, SQL injection is a code injection technique used to attack data-driven applications, in which malicious SQL statements are inserted into an entry field for execution (e.g. to dump the database contents to the attacker). SQL in ...
attacks. This feature was officially deprecated as of PHP 5.3.0 and removed in PHP 5.4, due to security concerns.


Concept

The current revision of the PHP manual mentions that the rationale behind magic quotes was to "help
revent Emily Sophie Hastings Brooke (born November 1985) is a British inventor, industrial designer and entrepreneur known for having developed the Beryl (formerly Blaze) Laserlights used for Santander Cycles (the London bike rental scheme). Beryl ...
code written by beginners from being dangerous." It was however originally introduced in PHP 2 as a php.h compile-time setting for msql, only escaping single quotes, "making it easier to pass form data directly to msql queries". It originally was intended as a "convenience feature, not as security feature." The use scope for magic quotes was expanded in PHP 3. Single quotes, double quotes, backslashes and null characters in all user-supplied data all have a backslash prepended to them before being passed to the script in the $_GET, $_REQUEST, $_POST and $_COOKIE global variables. Developers can then in theory use string concatenation to construct safe SQL queries with data provided by the user. (This was most accurate when PHP 2 and PHP 3 were current, since the primary supported databases allowed only 1-byte character sets.)


Criticism

Magic quotes were enabled by default in new installations of PHP 3 and 4, but could be disabled through the magic_quotes_gpc configuration directive. Since the operation of magic quotes was behind the scenes and not immediately obvious, developers may have been unaware of their existence and the potential problems that they could introduce. The PHP documentation pointed out several pitfalls and recommended that, despite being enabled by default, they should be disabled. Problems with magic quotes included: * Not all data that are supplied by the user are intended for insertion into a database. They may be rendered directly to the screen, stored in a session, or previewed before saving. This can result in backslashes being added where they are not wanted and being shown to the end user. This bug often creeps into even widely used software. * Not all data that are supplied by the user and used in a database query are obtained directly from sources protected by magic quotes. For instance, a user-supplied value might be inserted into a database, protected by magic quotes, and later retrieved from the database and used in a subsequent database operation. The latter use is not protected by magic quotes, and a naive programmer used to relying on them may be unaware of the need to protect it explicitly. * Magic quotes also use the generic functionality provided by PHP's addslashes() function, which is not Unicode-aware and is still subject to SQL injection vulnerabilities in some multi-byte character encodings. Database-specific functions such as mysql_real_escape_string() or, where possible, prepared queries with bound parameters, are preferred. * While many database management systems support escaping quotes with a backslash, the standard actually calls for using another quote. Magic quotes offer no protection for databases not set up to support escaping quotes with a backslash. * Portability is an issue if an application is coded with the assumption that magic quotes are enabled and is then moved to a server where they are disabled, or vice versa. * Adding magic quotes and subsequently removing them where appropriate incurs a small but unnecessary amount of performance overhead. * Magic quotes do not protect against other common security vulnerabilities such as
cross-site scripting Cross-site scripting (XSS) is a type of security vulnerability that can be found in some web applications. XSS attacks enable attackers to inject client-side scripts into web pages viewed by other users. A cross-site scripting vulnerability m ...
attacks or SMTP header injection attacks. In November 2005 the core PHP developers decided that because of these problems, the magic quotes feature would be removed from PHP 6. When development of PHP 6 stalled and development continued on the 5.x branch instead, the feature was deprecated in PHP 5.3.0 and removed in 5.4.


Other approaches

* Some languages such as
Perl Perl is a family of two high-level, general-purpose, interpreted, dynamic programming languages. "Perl" refers to Perl 5, but from 2000 to 2019 it also referred to its redesigned "sister language", Perl 6, before the latter's name was offic ...
and
Ruby A ruby is a pinkish red to blood-red colored gemstone, a variety of the mineral corundum ( aluminium oxide). Ruby is one of the most popular traditional jewelry gems and is very durable. Other varieties of gem-quality corundum are called ...
opt for an approach involving data tainting, where data from untrusted sources, such as user input, are considered "tainted" and can not be used for dangerous operations until explicitly marked as trustworthy, usually after validation or encoding. Since the construction of SQL queries is considered "dangerous" in this context, this forces the programmer to address the problem. Tainting does not solve the problem, but it does highlight those instances where there is a problem so that the programmer is able to solve them appropriately. *
Joel Spolsky Avram Joel Spolsky (born 1965) is a software engineer and writer. He is the author of ''Joel on Software'', a blog on software development, and the creator of the project management software Trello. He was a Program Manager on the Microsoft Exce ...
has suggested using a form of Hungarian notation that indicates whether data are safe or unsafe. * Modern database engines and libraries use parameterised queries to pass data to the database separately from SQL commands, greatly reducing the need to escape data before constructing the queries.


See also

* Leaning toothpick syndrome


References

{{Reflist, 30em


External links


PHP manual on magic quotes
PHP software