I am frequently amazed and/or frustrated when I encounter online applications which have problems with Magic Quotes and string escaping. Even commercial PHP applications I use on a daily basis have such problems. The most common symptom is that slashes (/) end up appearing throughout content. For example:
What’s the slash for?
However, there are other, less obvious problems caused by bad handling of quotes and escaping that can be more serious. Not escaping code that is sent in a database query can, of course, equate to an SQL injection vulnerability, one of the most common and more severe security holes in PHP applications.
For the uninitiated, Magic Quotes is a feature of PHP that can automatically escape strings that are input to PHP. For example, quotes (‘ or “) are escaped
(‘ or “). Other characters such as NULL characters and backslashes are also escaped.
I believe that the introduction of Magic Quotes was a mistake made by the developers of PHP – a mistake that developers are still paying for. While many PHP installations now have turned off all Magic Quotes functionality, some PHP installations still enable them for backwards-compatibility, so the problems persist.
So, what exactly are my problems with Magic Quotes, anyway?
The Name
The name ‘Magic Quotes’ is hardly self-explanatory. ‘Magic’ doesn’t help describe its meaning at all, and the ‘quotes’ part is misleading. A more appropriate name for this troublesome feature would be ‘Automatic String Escaping’. It’s not just quotes that are escaped by the process.
Magic Quotes were intended to make scripts safer for beginners. However, the name ‘Magic Quotes’ is mystifying to beginners. Its existence also helps prevent beginners from learning why strings must be escaped in SQL.
Different Types
As if it wasn’t confusing enough, there are three different types of ‘Magic Quotes’ settings in PHP, described in the PHP manual.
The most common type is magic_quotes_gpc, which adds slashes to variables submitted to the PHP application via GET, POST or a cookie.
Application Developers Need to Know if it’s Turned On
The fact that the Magic Quotes settings can be turned on and off is a major problem. If it were either always on or always off, the problem would not be as severe.
It is crucial for application developers to know whether magic_quotes_gpc or magic_quotes_runtime are turned on when coding. If magic_quotes_gpc is turned on, and a programmer assumes it is turned off and does the string escaping himself, he will end up with the dreaded ‘extra slashes’ in his content. If magic_quotes_gpc is off, and the programmer assumes it is turned on, he leaves himself vulnerable to SQL injections.
There is no way to disable magic_quotes_gpc in a script, because the damage has already been done. However, it is possible to detect whether it is turned on or off and act accordingly. In a previous blog post (as well as in his book), Harry describes a way for developers to create code that works whether magic_quotes_gpc is turned on or off. This code can be inserted somewhere in your application (near the start):
// Is magic quotes on?
if (get_magic_quotes_gpc()) {
// Yes? Strip the added slashes
$_REQUEST = array_map('stripslashes', $_REQUEST);
$_GET = array_map('stripslashes', $_GET);
$_POST = array_map('stripslashes', $_POST);
$_COOKIE = array_map('stripslashes', $_COOKIE);
}
Rather than increasing security or simlifying the process of escaping strings for use in SQL commands, Magic Quotes gives developers additional headaches and can, in some situations, create annoying bugs or cause security vulnerabilities in applications when the script is run on a PHP installation which uses a different setting than the developer expected.
In this article, Harry Fuecks examines the problem in depth. In a glorious irony, the application hosting the article has its own problems related to Magic Quotes – the slashes in the code samples (see for example the green text) are missing!
For now, I would recommend that developers do their own string escaping, as if magic quotes is off, and use the above code to strip the additional slashes resulting from a PHP installation where magic quotes is on.
Thomas Rutter
