Magic Quotes - Criticism

Criticism

Magic quotes were enabled by default in new installations of PHP 3 and 4, and since their operation was behind the scenes and not immediately obvious, developers may have been unaware of their existence and the potential problems that they could introduce. The PHP documentation pointed out several pitfalls and recommended that, despite being enabled by default, they should be disabled.

Problems with magic quotes included:

• Not all data that are supplied by the user are intended for insertion into a database. They may be rendered directly to the screen, stored in a session, or previewed before saving. This can result in backslashes being added where they are not wanted and being shown to the end user. This bug often creeps into even widely used software.
• Not all data that are supplied by the user and used in a database query are obtained directly from sources protected by magic quotes. For instance, a user-supplied value might be inserted into a database, protected by magic quotes, and later retrieved from the database and used in a subsequent database operation. The latter use is not protected by magic quotes, and a naive programmer used to relying on them may be unaware of the need to protect it explicitly.
• Magic quotes also use the generic functionality provided by PHP's addslashes function, which is not Unicode-aware and is still subject to SQL injection vulnerabilities in some multi-byte character encodings. Database-specific functions such as mysql_real_escape_string or, where possible, prepared queries with bound parameters, are preferred.
• While many database management systems support escaping quotes with a backslash, the standard actually calls for using another quote. Magic quotes offer no protection for databases not set up to support escaping quotes with a backslash.
• Portability is an issue if an application is coded with the assumption that magic quotes are enabled and is then moved to a server where they are disabled, or vice versa.
• Adding magic quotes and subsequently removing them where appropriate incurs a small but unnecessary amount of performance overhead.
• Magic quotes do not protect against other common security vulnerabilities such as cross-site scripting attacks or SMTP header injection attacks.

In November 2005 the core PHP developers decided that because of these problems, the magic quotes feature would be removed from PHP 6.