Magic quotes

From Seo Wiki - Search Engine Optimization and Programming Languages
Jump to navigationJump to search

Magic quotes is a controversial feature of the PHP scripting language, intended to help prevent inexperienced developers from writing code which is vulnerable to SQL injection attacks. This feature is officially deprecated as of PHP 5.3.0, and removed in PHP 6 due to security concerns.[1]

Concept

The rationale behind magic quotes is to "help [prevent] code written by beginners from being dangerous."[2] Single quotes, double quotes, backslashes and null characters in all user-supplied data all have a backslash prepended to them before being passed to the script in the $_GET, $_REQUEST, $_POST and $_COOKIE global variables. Developers can then in theory use string concatenation safely to construct SQL queries with data provided by the user.

Criticism

Magic quotes are enabled by default in new installations of PHP, and since their operation is behind the scenes and not immediately obvious, developers may be unaware of their existence and the potential problems that they can introduce. The PHP documentation points out several pitfalls and recommends that, despite being enabled by default, they should be disabled.[3]

Problems with magic quotes include:

  • Not all data that are supplied by the user are intended for insertion into a database. They may be rendered directly to the screen, stored in a session, or previewed before saving. This can result in backslashes being added where they are not wanted and being shown to the end user. This bug often creeps into even widely used software.[4]
  • Not all data that are supplied by the user and used in a database query are obtained directly from sources protected by magic quotes. For instance, a user-supplied value might be inserted into a database — protected by magic quotes — and later retrieved from the database and used in a subsequent database operation. The latter use is not protected by magic quotes, and a naive programmer used to relying on them may be unaware of the need to protect it explicitly.
  • Magic quotes also use the generic functionality provided by PHP's addslashes() function, which is not Unicode aware and still subject to SQL injection vulnerabilities in some multi-byte character encodings. Database-specific functions such as mysql_real_escape_string() or, where possible, prepared queries with bound parameters are preferred.[5][6]
  • While many DBMS support escaping quotes with a backslash, the standard actually calls for using another quote. Magic quotes offer no protection for databases not set up to support escaping quotes with a backslash.
  • Portability is an issue if an application is coded with the assumption that magic quotes are enabled and is then moved to a server where they are disabled, or the other way round.
  • Adding magic quotes and subsequently removing them where appropriate incurs a small but unnecessary performance overhead.
  • Magic quotes do not protect against other common security vulnerabilities such as cross-site scripting attacks or SMTP header injection attacks.

In November 2005 the core PHP developers decided on account of these problems that the magic quotes feature would be removed from PHP 6.[7]

Other approaches

  • Some languages such as Perl[8] and Ruby[9] opt for an approach involving data tainting, where data from untrusted sources, such as user input, are considered "tainted" and can not be used for dangerous operations until explicitly marked as trustworthy, usually after validation and/or encoding. Since the construction of SQL queries is considered "dangerous" in this context, this forces the programmer to address the problem. Tainting does not solve the problem, but it does highlight those instances where there is a problem so that the programmer is able to solve them appropriately.
  • Joel Spolsky has suggested using a form of Hungarian notation that indicates whether data are safe or unsafe.[10]
  • Modern database engines and libraries use parametrised queries to pass data to the database separately from SQL commands, greatly reducing the need to escape data before constructing the queries.

References

  1. [{{Expansion depth limit exceeded||}} "PHP: Magic Quotes"]. {{Expansion depth limit exceeded||}}. Retrieved 2009-05-02. 
  2. [{{Expansion depth limit exceeded||}} "PHP:Why use magic quotes?"]. [{{Expansion depth limit exceeded|{{{Expansion depth limit exceeded}}} |{{Expansion depth limit exceeded|{{Expansion depth limit exceeded| http://www.pubmedcentral.nih.gov/articlerender.fcgi?tool=pmcentrez&artid={{{Expansion depth limit exceeded}}} }}}} }} PHP documentation]. {{Expansion depth limit exceeded||}}. Retrieved 2007-02-19. 
  3. [{{Expansion depth limit exceeded||}} "PHP:Why not to use magic quotes"]. [{{Expansion depth limit exceeded|{{{Expansion depth limit exceeded}}} |{{Expansion depth limit exceeded|{{Expansion depth limit exceeded| http://www.pubmedcentral.nih.gov/articlerender.fcgi?tool=pmcentrez&artid={{{Expansion depth limit exceeded}}} }}}} }} PHP documentation]. {{Expansion depth limit exceeded||}}. Retrieved 2007-02-19. 
  4. [{{Expansion depth limit exceeded||}} "Quotation marks are double escaped when editing a comment"]. [{{Expansion depth limit exceeded|{{{Expansion depth limit exceeded}}} |{{Expansion depth limit exceeded|{{Expansion depth limit exceeded| http://www.pubmedcentral.nih.gov/articlerender.fcgi?tool=pmcentrez&artid={{{Expansion depth limit exceeded}}} }}}} }} WordPress issue tracker]. {{Expansion depth limit exceeded||}}. Retrieved 2007-02-19. 
  5. Chris Shiflett. [{{Expansion depth limit exceeded||}} "addslashes() versus mysql_real_escape_string()"]. {{Expansion depth limit exceeded||}}. Retrieved 2007-02-19. 
  6. MySQL AB. [{{Expansion depth limit exceeded||}} "Changes in release 5.0.22 (24 May 2006)"]. [{{Expansion depth limit exceeded|{{{Expansion depth limit exceeded}}} |{{Expansion depth limit exceeded|{{Expansion depth limit exceeded| http://www.pubmedcentral.nih.gov/articlerender.fcgi?tool=pmcentrez&artid={{{Expansion depth limit exceeded}}} }}}} }} MySQL 5.0 Reference Manual]. {{Expansion depth limit exceeded||}}. Retrieved 2007-02-19. 
  7. PHP Group (2005-11-12). [{{Expansion depth limit exceeded||}} "Minutes PHP Developers Meeting"]. {{Expansion depth limit exceeded||}}. Retrieved 2007-02-19. 
  8. Dan Ragle (2006-04-18). [{{Expansion depth limit exceeded||}} "Introduction to Perl's Taint Mode"]. [{{Expansion depth limit exceeded|{{{Expansion depth limit exceeded}}} |{{Expansion depth limit exceeded|{{Expansion depth limit exceeded| http://www.pubmedcentral.nih.gov/articlerender.fcgi?tool=pmcentrez&artid={{{Expansion depth limit exceeded}}} }}}} }} webreference.com]. {{Expansion depth limit exceeded||}}. Retrieved 2007-03-21. 
  9. [{{Expansion depth limit exceeded||}} "Locking Ruby in the Safe"]. [{{Expansion depth limit exceeded|{{{Expansion depth limit exceeded}}} |{{Expansion depth limit exceeded|{{Expansion depth limit exceeded| http://www.pubmedcentral.nih.gov/articlerender.fcgi?tool=pmcentrez&artid={{{Expansion depth limit exceeded}}} }}}} }} Programming Ruby]. {{Expansion depth limit exceeded||}}. Retrieved 2007-03-21. 
  10. Joel Spolsky (2005-05-11). [{{Expansion depth limit exceeded||}} "Making Wrong Code Look Wrong"]. [{{Expansion depth limit exceeded|{{{Expansion depth limit exceeded}}} |{{Expansion depth limit exceeded|{{Expansion depth limit exceeded| http://www.pubmedcentral.nih.gov/articlerender.fcgi?tool=pmcentrez&artid={{{Expansion depth limit exceeded}}} }}}} }} Joel on Software: Painless Software Management]. {{Expansion depth limit exceeded||}}. Retrieved 2007-02-19. 

External links

If you like SEOmastering Site, you can support it by - BTC: bc1qppjcl3c2cyjazy6lepmrv3fh6ke9mxs7zpfky0 , TRC20 and more...


Retrieved from "https://www.seomastering.com:443/w/index.php?title=Magic_quotes&oldid=15825"