From Wikipedia, the free encyclopedia Magic quotes
Magic quotes
Magic quotes is a controversial feature of the PHP script- supplied value might be inserted into a database —
ing language, which was introduced to help newcomers protected by magic quotes — and later retrieved
write functioning SQL commands without requiring from the database and used in a subsequent database
manual escaping. It was later described and widely mis- operation. The latter use is not protected by magic
interpreted as help to prevent inexperienced developers quotes, and a naive programmer used to relying on
from writing code which is vulnerable to SQL injection them may be unaware of the need to protect it
attacks. This feature is officially deprecated as of PHP explicitly.
5.3.0, and removed in PHP 5.4 due to security concerns.[1] • Magic quotes also use the generic functionality
provided by PHP’s addslashes() function, which
Concept is not Unicode aware and still subject to SQL
injection vulnerabilities in some multi-byte
The current revision of the PHP manual mentions the ra- character encodings. Database-specific functions
tionale behind magic quotes is to "help [prevent] code such as mysql_real_escape_string() or,
written by beginners from being dangerous."[2] It was where possible, prepared queries with bound
however originally introduced in PHP2 as php.h compile- parameters are preferred.[8][9]
time setting for msql and only escaping single quotes • While many DBMS support escaping quotes with a
"making it easier to pass form data directly to msql backslash, the standard actually calls for using
queries"[3]. It originally was intended as "convenience another quote. Magic quotes offer no protection for
feature, not as security feature."[4].[5] databases not set up to support escaping quotes with
The use scope was expanded in PHP3. Single quotes, a backslash.
double quotes, backslashes and null characters in all • Portability is an issue if an application is coded with
user-supplied data all have a backslash prepended to the assumption that magic quotes are enabled and is
them before being passed to the script in the $_GET, then moved to a server where they are disabled, or
$_REQUEST, $_POST and $_COOKIE global variables. the other way round.
Developers can then in theory use string concatenation • Adding magic quotes and subsequently removing
safely to construct SQL queries with data provided by the them where appropriate incurs a small but
user. (Which was true at best around PHP2 and PHP3, unnecessary performance overhead.
when the primarily supported databases only allowed • Magic quotes do not protect against other common
1-byte character sets.) security vulnerabilities such as cross-site scripting
attacks or SMTP header injection attacks.
Criticism In November 2005 the core PHP developers decided on
account of these problems that the magic quotes feature
Magic quotes were enabled by default in new installa- would be removed from PHP 6.[10]
tions of PHP3 and 4, and since their operation is behind
the scenes and not immediately obvious, developers may
be unaware of their existence and the potential problems Other approaches
that they can introduce. The PHP documentation points • Some languages such as Perl[11] and Ruby[12] opt for
out several pitfalls and recommends that, despite being an approach involving data tainting, where data
enabled by default, they should be disabled.[6] from untrusted sources, such as user input, are
Problems with magic quotes include: considered "tainted" and can not be used for
• Not all data that are supplied by the user are dangerous operations until explicitly marked as
intended for insertion into a database. They may be trustworthy, usually after validation and/or
rendered directly to the screen, stored in a session, encoding. Since the construction of SQL queries is
or previewed before saving. This can result in considered "dangerous" in this context, this forces
backslashes being added where they are not wanted the programmer to address the problem. Tainting
and being shown to the end user. This bug often does not solve the problem, but it does highlight
creeps into even widely used software.[7] those instances where there is a problem so that the
• Not all data that are supplied by the user and used in programmer is able to solve them appropriately.
a database query are obtained directly from sources
protected by magic quotes. For instance, a user-
1
From Wikipedia, the free encyclopedia Magic quotes
• Joel Spolsky has suggested using a form of Hungarian security.magicquotes.whynot.php. Retrieved
notation that indicates whether data are safe or 2007-02-19.
unsafe.[13] [7] "Quotation marks are double escaped when editing
• Modern database engines and libraries use a comment". WordPress issue tracker.
parameterised queries to pass data to the database http://trac.wordpress.org/ticket/2768. Retrieved
separately from SQL commands, greatly reducing the 2007-02-19.
need to escape data before constructing the queries. [8] Chris Shiflett. "addslashes() versus
mysql_real_escape_string()". http://shiflett.org/
References blog/2006/jan/addslashes-versus-mysql-real-
escape-string. Retrieved 2007-02-19.
[1] "PHP: Magic Quotes". http://php.net/manual/en/ [9] MySQL AB. "Changes in release 5.0.22 (24 May
security.magicquotes.php. Retrieved 2009-05-02. 2006)". MySQL 5.0 Reference Manual.
[2] "PHP:Why use magic quotes?". PHP documentation. http://dev.mysql.com/doc/refman/5.0/en/
http://uk.php.net/manual/en/ news-5-0-22.html. Retrieved 2007-02-19.
security.magicquotes.why.php. Retrieved [10] PHP Group (2005-11-12). "Minutes PHP Developers
2007-02-19. Meeting". http://www.php.net/~derick/meeting-
[3] "If the MAGIC_QUOTES variable is defined in the notes.html#magic-quotes. Retrieved 2007-02-19.
php.h file then these quotes will be automatically [11] Dan Ragle (2006-04-18). "Introduction to Perl’s
escaped making it easier to pass form data directly Taint Mode". webreference.com.
to msql queries.". http://www.php.net/manual/ http://www.webreference.com/programming/
phpfi2.php#msql_support. Retrieved 1997-04-23. perl/taint/. Retrieved 2007-03-21.
[4] "Magic Quotes is oft-understood, even by [12] "Locking Ruby in the Safe". Programming Ruby.
journeymen PHP programmers". http://www.rubycentral.com/book/taint.html.
http://www.gthelp.com/ Retrieved 2007-03-21.
showpost.php?s=1f2dcfbf42564c12dcc84d35cbedfc4d&p=184969&postcount=3.
[13] Joel Spolsky (2005-05-11). "Making Wrong Code
[5] "Re: [PHP3 what are magic_quotes?"]. PHP-dev Look Wrong". Joel on Software: Painless Software
mailing list. http://marc.info/?l=php- Management. http://www.joelonsoftware.com/
general&m=93575922621574&w=2. Retrieved articles/Wrong.html. Retrieved 2007-02-19.
1999-08-27.
[6] "PHP:Why not to use magic quotes". PHP
documentation. http://uk.php.net/manual/en/
External links
• PHP manual on magic quotes
Retrieved from "http://en.wikipedia.org/w/index.php?title=Magic_quotes&oldid=446053967"
Categories:
• PHP programming language
This page was last modified on 21 August 2011 at 22:02. Text is available under the Creative Commons Attribution-
ShareAlike License; additional terms may apply. See Terms of use for details. Wikipedia® is a registered trademark of
the Wikimedia Foundation, Inc., a non-profit organization.Contact us
Privacy policy About Wikipedia Disclaimers Mobile view
2