PHP Doku:: Why not to use Magic Quotes - security.magicquotes.whynot.html

Verlauf / Chronik / History: (1) anzeigen

Sie sind hier:
Doku-StartseitePHP-HandbuchSicherheitMagic QuotesWhy not to use Magic Quotes

Ein Service von Reinhard Neidl - Webprogrammierung.

Magic Quotes

<<Why did we use Magic Quotes

Disabling Magic Quotes>>

Why not to use Magic Quotes

Warnung

Dieses Feature ist seit PHP 5.3.0 DEPRECATED (veraltet). Sich auf dieses Feature zu verlassen ist in keiner Weise empfehlenswert.


6 BenutzerBeiträge:
- Beiträge aktualisieren...
Albin Mrtensson
9.09.2010 15:46
This is what I use to handle magic quotes

<?php

if (get_magic_quotes_gpc()) {
    function
strip_array($var) {
        return
is_array($var)? array_map("strip_array", $var):stripslashes($var);
    }

   
$_POST = strip_array($_POST);
   
$_SESSION = strip_array($_SESSION);
   
$_GET = strip_array($_GET);
}

?>
anze
14.10.2008 0:23
Another reason against it: security. You could be lulled in a feeling of false security if you have magic_quotes=On on a test server and Off on production server.

And another: readability of the code. If you want to be portable you need to resort to some weird solution, outlines on these pages (if (get_magic_quotes())...).

Let's hope magic_quotes soon goes to history together with safe_mode and similar "kind-of-security" (but in reality just a nuisance) inventions.
estoesunapija at hotmail dot com
15.09.2008 19:26
<?php

//One could use array_walk, altough i think it was fun
//and simple doing it this way.

 
class oop {

     
//toObject        : Transforms an array into an object filtering it
      //$source         : Array to transform
      //$currentLevel : See $maxLevels
      //$maxLevels   : Protect the system in case of lots of recursion
      //                     i.e. <input type="text" name="test[][]....[N]"

     
public static function toObject($source=array(),$array=array(),$maxLevels=3,$currentLevel=0) {

         if ( !
sizeof($source) || ($currentLevel > $maxLevels) ) return FALSE;

        
$array   =  (sizeof($array)) ? $array : $source;
        
$obj     =  new stdClass();

         foreach (
$array as $k => $v){

            if (
is_array($v)) {

              
$obj->$k self::toObject($source,$v,$maxLevels,++$currentLevel);

               continue;

            }

           
//Assign to the object $obj, the key and the value of the actual value of $source

           
$obj->$k=$v;

         }

         return
$obj;

      }

   }

  
/* Eexamples

      $post    =  oop::toObject($_POST)   ;
      $get     =  oop::toObject($_GET)    ;
      $session =  oop::toObject($_SESSION);

      var_dump ($post)   ;
      var_dump ($get)    ;
      var_dump ($session);

   */

?>
sir dot steve dot h+php at gmail dot com
7.12.2007 5:45
I find it useful to define a simple utility function for magic quotes so the application functions as expected regardless of whether magic_quotes_gpc is on:

function strip_magic_slashes($str)
{
    return get_magic_quotes_gpc() ? stripslashes($str) : $str;
}

Which can be annoying to add the first time you reference every $_GET /$_POST/$_COOKIE variable, but it prevents you from demanding your users to change their configurations.
rjh at netcraft dot com
13.06.2007 11:50
Additionally, addslashes() is not a cure-all against SQL injection attacks. You should use your database's dedicated escape function (such as mysql_escape_string) or better yet, use parameterised queries through mysqli->prepare().

11.02.2006 22:47
It is also important to disable Magic Quotes while in development enivronment. For the reasons mentioned above, not everybody is using Magic Quotes.

An application that works fine with Magic Quotes enabled may have security problems (ie can be subject to SQL attacks) when distributed.



PHP Powered Diese Seite bei php.net
The PHP manual text and comments are covered by the Creative Commons Attribution 3.0 License © the PHP Documentation Group - Impressum - mail("TO:Reinhard Neidl",...)