Comments on: Magic Quotes Headaches http://www.sitepoint.com/blogs/2005/03/02/magic-quotes-headaches/ Sun, 20 Jul 2008 21:08:14 +0000 http://wordpress.org/?v=2.5 By: phpdevel http://www.sitepoint.com/blogs/2005/03/02/magic-quotes-headaches/#comment-615426 phpdevel Mon, 28 Jan 2008 22:42:07 +0000 #comment-615426 A direct quote from PHP.net: "An example use of stripslashes() is when the PHP directive magic_quotes_gpc is on (it's on by default), and you aren't inserting this data into a place (such as a database) that requires escaping. For example, if you're simply outputting data straight from an HTML form." - http://us3.php.net/stripslashes NOTICE: magic_quotes_gpc is on BY DEFAULT!!!! A word of advice, do not make assumptions, check your PHP.ini using phpinfo() to determine your PHP configuration. Site Admins aren't necessarily PHP pros, and therefore may not understand PHP directives, and unwittingly make alterations to a default PHP.ini. As a developer every site is unique, look at this site, for example, they explicitly ask that you escape a post to this forum. (smart or not) security through obscurity? Check your own input... don't assume yours will behave the same as Joe's or Eddie's because they said thats how theirs was set up, so thats how yours will be set up. This is exactly my problem now, I was assuming my input was handled one way when in fact it was being handled another... didn't notice it until someone asked me about a formatting problem. oops (take my own advise) A direct quote from PHP.net:
“An example use of stripslashes() is when the PHP directive magic_quotes_gpc is on (it’s on by default), and you aren’t inserting this data into a place (such as a database) that requires escaping. For example, if you’re simply outputting data straight from an HTML form.”
- http://us3.php.net/stripslashes

NOTICE: magic_quotes_gpc is on BY DEFAULT!!!! A word of advice, do not make assumptions, check your PHP.ini using phpinfo() to determine your PHP configuration. Site Admins aren’t necessarily PHP pros, and therefore may not understand PHP directives, and unwittingly make alterations to a default PHP.ini. As a developer every site is unique, look at this site, for example, they explicitly ask that you escape a post to this forum. (smart or not) security through obscurity? Check your own input… don’t assume yours will behave the same as Joe’s or Eddie’s because they said thats how theirs was set up, so thats how yours will be set up. This is exactly my problem now, I was assuming my input was handled one way when in fact it was being handled another… didn’t notice it until someone asked me about a formatting problem. oops (take my own advise)

]]> By: SoreGums http://www.sitepoint.com/blogs/2005/03/02/magic-quotes-headaches/#comment-298202 SoreGums Mon, 09 Jul 2007 06:42:53 +0000 #comment-298202 Man I've run into major problems with magic quotes, thanks to the comments above from Ren its all fixed! Thanks... Man I can't wait to get my head around JBoss Seam - I've always tried to not do anything in PHP but this project needed to be producing results straight away and I had no choice but to start using PHP :( Man I’ve run into major problems with magic quotes, thanks to the comments above from Ren its all fixed!

Thanks…

Man I can’t wait to get my head around JBoss Seam - I’ve always tried to not do anything in PHP but this project needed to be producing results straight away and I had no choice but to start using PHP :(

]]> By: Dan http://www.sitepoint.com/blogs/2005/03/02/magic-quotes-headaches/#comment-212421 Dan Tue, 27 Mar 2007 07:19:25 +0000 #comment-212421 PHP is one of the most incompetently designed languages ever. Sad but true. PHP is one of the most incompetently designed languages ever. Sad but true.

]]> By: John http://www.sitepoint.com/blogs/2005/03/02/magic-quotes-headaches/#comment-209036 John Thu, 22 Mar 2007 04:30:23 +0000 #comment-209036 Stellar! Saved my ass, thanks for the stripslashes code. Stellar! Saved my ass, thanks for the stripslashes code.

]]> By: NoOne http://www.sitepoint.com/blogs/2005/03/02/magic-quotes-headaches/#comment-36475 NoOne Tue, 11 Jul 2006 04:19:50 +0000 #comment-36475 From PHP Manual recursive stripslashes code: <code> if (get_magic_quotes_gpc()) { function stripslashes_deep($value) { $value = is_array($value) ? array_map('stripslashes_deep', $value) : stripslashes($value); return $value; } $_POST = array_map('stripslashes_deep', $_POST); $_GET = array_map('stripslashes_deep', $_GET); $_COOKIE = array_map('stripslashes_deep', $_COOKIE); } </code> NoOne, From PHP Manual recursive stripslashes code:
if (get_magic_quotes_gpc()) { function stripslashes_deep($value) { $value = is_array($value) ? array_map('stripslashes_deep', $value) : stripslashes($value); return $value; } $_POST = array_map('stripslashes_deep', $_POST); $_GET = array_map('stripslashes_deep', $_GET); $_COOKIE = array_map('stripslashes_deep', $_COOKIE); }

NoOne,

]]> By: NoOne http://www.sitepoint.com/blogs/2005/03/02/magic-quotes-headaches/#comment-36471 NoOne Tue, 11 Jul 2006 04:15:15 +0000 #comment-36471 From PHP Manual recursive stripslashes code: <code></code> NoOne, From PHP Manual recursive stripslashes code:

NoOne,

]]> By: Dan http://www.sitepoint.com/blogs/2005/03/02/magic-quotes-headaches/#comment-1921 Dan Wed, 31 Dec 1969 19:00:00 +0000 #comment-1921 <p>A little more in-depth treatment of this topic, including code to detect and reverse the effects of all three magic_quotes settings, can be found here:</p> <p>http://education.nyphp.org/phundamentals/PH_storingretrieving.php</p> A little more in-depth treatment of this topic, including code to detect and reverse the effects of all three magic_quotes settings, can be found here:

http://education.nyphp.org/phundamentals/PH_storingretrieving.php

]]> By: Alan Knowles http://www.sitepoint.com/blogs/2005/03/02/magic-quotes-headaches/#comment-1922 Alan Knowles Wed, 31 Dec 1969 19:00:00 +0000 #comment-1922 <p>Yes Magic Quotes are evil :)<br /> The example code introduces nighmares for using any library that may interact with input variables (which is not usually a good idea anyway).</p> <p>It's far better to add this to the start of the application, than even bothering trying to deal with them..<br /> if (get_magic_quotes_gpc()) {<br /> trigger_error("Turn of magic quotes in php.ini / .htaccess or apache config", E_USER_ERROR);<br /> } <br /> </p> Yes Magic Quotes are evil :)
The example code introduces nighmares for using any library that may interact with input variables (which is not usually a good idea anyway).

It’s far better to add this to the start of the application, than even bothering trying to deal with them..
if (get_magic_quotes_gpc()) {
trigger_error(”Turn of magic quotes in php.ini / .htaccess or apache config”, E_USER_ERROR);
}

]]> By: Skunk http://www.sitepoint.com/blogs/2005/03/02/magic-quotes-headaches/#comment-1923 Skunk Wed, 31 Dec 1969 19:00:00 +0000 #comment-1923 <p>The library thing is the killer as far as I'm concerned. Basically, the magic quotes issue makes it all but impossible to write code for other people to re-use (unless the code has no interactions at all with the outside world). If you write it expecting a specific setting for magic_quotes and the end user has a different setting you'll get horrible problems.</p> <p>Avoiding user input isn't a very pretty option either, since your library functions may be passed strings from input by the user which are in an "unknown" state - they might be escaped, they might not be. Alan's suggestion of dying if magic qutoes are on isn't a terrible idea, but if a user already has a large code base that expects the feature to be on they will be unable to use your library without a major rewrite (although maybe that's not a bad thing). That said, many users on shared hosting don't have access to php.ini OR htaccess files, and it's a little harsh expecting them to change hosts just to reuse your code.</p> <p>The most annoying thing about this all is that magic quotes is actually a very poor solution to the database escaping problem. Firstly, different databases have different escaping rules (I think SQL server requires quotes to be doubled up rather than backslash escaped). Secondly, a far, far more reliable way of safely escaping database variables used be pretty much databases access libraries for loads of other languages is to use something like this:</p> <p>$query = sql_query("select * from table where tag = ? and section = ?", $tag, $section);</p> <p>In magic quotes defence, if the above were used there would always be utterly clueless newbies who still stuck everything together using string concatenation and opened them up to vulnerabilities, but a decent sized warning against this on the manual page for the function would probably be enough to save all but the most hopeless of cases.</p> <p>This turned in to a bit of a rant, but magic quotes is one of the principle things that turned me away from PHP for large web application development (I use Python now) so it's something of a pet peeve!</p> The library thing is the killer as far as I’m concerned. Basically, the magic quotes issue makes it all but impossible to write code for other people to re-use (unless the code has no interactions at all with the outside world). If you write it expecting a specific setting for magic_quotes and the end user has a different setting you’ll get horrible problems.

Avoiding user input isn’t a very pretty option either, since your library functions may be passed strings from input by the user which are in an “unknown” state - they might be escaped, they might not be. Alan’s suggestion of dying if magic qutoes are on isn’t a terrible idea, but if a user already has a large code base that expects the feature to be on they will be unable to use your library without a major rewrite (although maybe that’s not a bad thing). That said, many users on shared hosting don’t have access to php.ini OR htaccess files, and it’s a little harsh expecting them to change hosts just to reuse your code.

The most annoying thing about this all is that magic quotes is actually a very poor solution to the database escaping problem. Firstly, different databases have different escaping rules (I think SQL server requires quotes to be doubled up rather than backslash escaped). Secondly, a far, far more reliable way of safely escaping database variables used be pretty much databases access libraries for loads of other languages is to use something like this:

$query = sql_query(”select * from table where tag = ? and section = ?”, $tag, $section);

In magic quotes defence, if the above were used there would always be utterly clueless newbies who still stuck everything together using string concatenation and opened them up to vulnerabilities, but a decent sized warning against this on the manual page for the function would probably be enough to save all but the most hopeless of cases.

This turned in to a bit of a rant, but magic quotes is one of the principle things that turned me away from PHP for large web application development (I use Python now) so it’s something of a pet peeve!

]]> By: Maarten Manders http://www.sitepoint.com/blogs/2005/03/02/magic-quotes-headaches/#comment-1924 Maarten Manders Wed, 31 Dec 1969 19:00:00 +0000 #comment-1924 <p>Skunk, at http://www.php.net/mysql_real_escape_string#AEN89967 there is an example that does exactly what you suggested. Another (more tedious but faster) way would be formatting any data type manually with sprintf and mysql_real_escape_string.</p> Skunk, at http://www.php.net/mysql_real_escape_string#AEN89967 there is an example that does exactly what you suggested. Another (more tedious but faster) way would be formatting any data type manually with sprintf and mysql_real_escape_string.

]]>