Magic Quotes - Criticism

Criticism

Magic quotes were enabled by default in new installations of PHP 3 and 4, and since their operation was behind the scenes and not immediately obvious, developers may have been unaware of their existence and the potential problems that they could introduce. The PHP documentation pointed out several pitfalls and recommended that, despite being enabled by default, they should be disabled.

Problems with magic quotes included:

  • Not all data that are supplied by the user are intended for insertion into a database. They may be rendered directly to the screen, stored in a session, or previewed before saving. This can result in backslashes being added where they are not wanted and being shown to the end user. This bug often creeps into even widely used software.
  • Not all data that are supplied by the user and used in a database query are obtained directly from sources protected by magic quotes. For instance, a user-supplied value might be inserted into a database, protected by magic quotes, and later retrieved from the database and used in a subsequent database operation. The latter use is not protected by magic quotes, and a naive programmer used to relying on them may be unaware of the need to protect it explicitly.
  • Magic quotes also use the generic functionality provided by PHP's addslashes function, which is not Unicode-aware and is still subject to SQL injection vulnerabilities in some multi-byte character encodings. Database-specific functions such as mysql_real_escape_string or, where possible, prepared queries with bound parameters, are preferred.
  • While many database management systems support escaping quotes with a backslash, the standard actually calls for using another quote. Magic quotes offer no protection for databases not set up to support escaping quotes with a backslash.
  • Portability is an issue if an application is coded with the assumption that magic quotes are enabled and is then moved to a server where they are disabled, or vice versa.
  • Adding magic quotes and subsequently removing them where appropriate incurs a small but unnecessary amount of performance overhead.
  • Magic quotes do not protect against other common security vulnerabilities such as cross-site scripting attacks or SMTP header injection attacks.

In November 2005 the core PHP developers decided that because of these problems, the magic quotes feature would be removed from PHP 6.

Read more about this topic:  Magic Quotes

Famous quotes containing the word criticism:

    Nothing would improve newspaper criticism so much as the knowledge that it was to be read by men too hardy to acquiesce in the authoritative statement of the reviewer.
    Richard Holt Hutton (1826–1897)

    Unless criticism refuses to take itself quite so seriously or at least to permit its readers not to, it will inevitably continue to reflect the finicky canons of the genteel tradition and the depressing pieties of the Culture Religion of Modernism.
    Leslie Fiedler (b. 1917)

    When you overpay small people you frighten them. They know that their merits or activities entitle them to no such sums as they are receiving. As a result their boss soars out of economic into magic significance. He becomes a source of blessings rather than wages. Criticism is sacrilege, doubt is heresy.
    Ben Hecht (1893–1964)