What are Magic Quotes?
Magic Quotes, generally speaking, is the process of escaping special characters with a '' to allow a string to be entered into a database. This is considered 'magic' because PHP can do this automatically for you if you have magic_quotes_gpc turned on.
More specifically if magic_quotes_gpc is turned on for the copy of PHP you are using all Get, Post & Cookie variables (gpc, get it?) in PHP will already have special characters like ", ' and escaped so it is safe to put them directly into an SQL query.
In effect, this is the same as running addslashes() on every variable passed from the browser automatically, before you even see them.
Finding out if you're using Magic Quotes
To find out if you have magic quotes enabled, you can check the php.ini file directly or run a simple test in PHP. If you don't have administrative access to the server that your site is hosted on, skip past the php.ini example and go straight to the PHP test below.
To check the php.ini, first you have to find it. Normally, the php.ini file will be located in /usr/local/lib/ if PHP was compiled from source, or it will be in /etc/ if PHP was installed from a binary package.
Failing either of these locations, you can always cheat and run a:
0001 find / -name php.ini 2>/dev/null
on the server to find the file in question.
After you've located the php.ini file, go ahead and run a grep against it for the option in question, like this:
0001 grep magic_quotes_gpc php.ini
You should get back one line; I get this because I have shut off magic quotes:
0001 magic_quotes_gpc = Off ; magic quotes for incoming GET/POST/Cookie data
If your line shows 'On', obviously magic quotes are enabled on your system.
If you don't have access to the php.ini file on your system, a simple test to run to find out if magic quotes is enabled or not is this simple PHP script:
Bring this script up in your browser and click the submit button. If the resulting page has one slash, magic quotes are off. If there are two, magic quotes is on. Simple. You can see what this script does on my server here.
Magic Quote Advantages
Having magic quotes turned on has some advantages. As I see them, here they are:
You can forget to put an addslashes() call around submitted variables and not have your SQL query fail.
You can skip adding slashes manually altogether to keep your code less cluttered.
Magic Quote Disadvantages
Having magic quotes turned on has lots of disadvantages. As I see them, here they are:
Any code using SQL written for PHP 3.x.x has to be examined to remove addSlashes calls.
Cases where form submissions are sent back to the browser must have the slashes removed manually with a call to stripslashes().
If magic quotes are ever turned off for this server, or the code is moved to a server where magic quotes isn't enabled your scripts will fail. Or worse, not fail immediately and only exhibit strange behaviour.
Any string operations on submitted variables, even simple 'if' statements must take into account the possiblity of slashes warping in the content.
Magic quotes breeds developer sloppyness. Escaping variables inserted into an SQL query (in my opinion) is something that a developer should know and think about. Not just assume everything is dandy.
Enabling / Disabling Magic Quotes
Magic quotes may be enabled or disabled in the php.ini file (see above) simply by changing the value of the magic_quotes_gpc from On to Off, or Off to On. If you do not have access to the php.ini file, inquire with the System administrator for your host and ask about having Magic quotes turned on or off. This may be done on a per-directory basis with the proper configuration.
Default Magic Quote Settings
By default magic_quotes_gpc was turned off in all 3.x.x versions of PHP. However, all PHP 4.x.x versions have this option turned on by default. To insert a little bit of personal opinion I think this was a horrible mistake because I feel that magic_quotes_gpc is problimatic in professional applications, and encourages sloppy programming behaviour. That is however just my opinion, and the FACT is that probably the version of PHP you are using has this option on by default.
No comments:
Post a Comment