![]() When development of PHP 6 stalled and development continued on the 5.x branch instead, the feature was deprecated in PHP 5.3.0 and removed in 5.4. In November 2005 the core PHP developers decided that because of these problems, the magic quotes feature would be removed from PHP 6. Magic quotes do not protect against other common security vulnerabilities such as cross-site scripting attacks or SMTP header injection attacks.Adding magic quotes and subsequently removing them where appropriate incurs a small but unnecessary amount of performance overhead.Portability is an issue if an application is coded with the assumption that magic quotes are enabled and is then moved to a server where they are disabled, or vice versa.Magic quotes offer no protection for databases not set up to support escaping quotes with a backslash. While many database management systems support escaping quotes with a backslash, the standard actually calls for using another quote.Database-specific functions such as mysql_real_escape_string() or, where possible, prepared queries with bound parameters, are preferred. Magic quotes also use the generic functionality provided by PHP's addslashes() function, which is not Unicode-aware and is still subject to SQL injection vulnerabilities in some multi-byte character encodings.The latter use is not protected by magic quotes, and a naive programmer used to relying on them may be unaware of the need to protect it explicitly. For instance, a user-supplied value might be inserted into a database, protected by magic quotes, and later retrieved from the database and used in a subsequent database operation. Not all data that are supplied by the user and used in a database query are obtained directly from sources protected by magic quotes.This bug often creeps into even widely used software. This can result in backslashes being added where they are not wanted and being shown to the end user. They may be rendered directly to the screen, stored in a session, or previewed before saving. Not all data that are supplied by the user are intended for insertion into a database.The PHP documentation pointed out several pitfalls and recommended that, despite being enabled by default, they should be disabled. Since the operation of magic quotes was behind the scenes and not immediately obvious, developers may have been unaware of their existence and the potential problems that they could introduce. Magic quotes were enabled by default in new installations of PHP 3 and 4, but could be disabled through the magic_quotes_gpc configuration directive. ![]() (This was most accurate when PHP 2 and PHP 3 were current, since the primary supported databases allowed only 1-byte character sets.) ![]() Developers can then in theory use string concatenation to construct safe SQL queries with data provided by the user. Single quotes, double quotes, backslashes and null characters in all user-supplied data all have a backslash prepended to them before being passed to the script in the $_GET, $_REQUEST, $_POST and $_COOKIE global variables. The use scope for magic quotes was expanded in PHP 3. It originally was intended as a "convenience feature, not as security feature." The current revision of the PHP manual mentions that the rationale behind magic quotes was to "help code written by beginners from being dangerous." It was however originally introduced in PHP 2 as a php.h compile-time setting for msql, only escaping single quotes, "making it easier to pass form data directly to msql queries". ![]() This feature was officially deprecated as of PHP 5.3.0 and removed in PHP 5.4, due to security concerns. It was later described as intended to prevent inexperienced developers from writing code that was vulnerable to SQL injection attacks. It was introduced to help newcomers write functioning SQL commands without requiring manual escaping. Magic quotes was a feature of the PHP scripting language, wherein strings are automatically escaped-special characters are prefixed with a backslash-before being passed on.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |