From 4bf92d5985decf9efbe7bd6de836d8f722d54e3d Mon Sep 17 00:00:00 2001 From: Philip Olson Date: Tue, 7 Sep 2004 17:20:21 +0000 Subject: [PATCH] Rewrote and expanded text, fixed build, implemented simplesect instead of sect1 (all this belongs one one page), and used itemized lists. git-svn-id: https://svn.php.net/repository/phpdoc/en/trunk@168141 c90b9560-bf6c-de11-be94-00142212c4b1 --- security/magicquotes.xml | 202 +++++++++++++++++++++++++++------------ 1 file changed, 140 insertions(+), 62 deletions(-) diff --git a/security/magicquotes.xml b/security/magicquotes.xml index ca2d33d043..af84fabd29 100644 --- a/security/magicquotes.xml +++ b/security/magicquotes.xml @@ -1,80 +1,158 @@ - + Magic Quotes - Magic Quotes is a process which automatically escapes all incoming data to a PHP script. + Magic Quotes is a process that automagically escapes incoming data to the + PHP script. It's preferred to code with magic quotes off and to instead + escape the data at runtime, as needed. - - - You should NOT rely on this feature. It is strongly prefered to turn this off, and deal with - user input properly. - - - + What are Magic Quotes - When on, all ' (single-quote), " (double quote), - \ (backslash) and NULL characters are escaped with a - backslash automatically. + When on, all ' (single-quote), " + (double quote), \ (backslash) and NULL + characters are escaped with a backslash automatically. This is identical + to what addslashes does. - Magic Quotes has 3 Modes of operation. + There are three magic quote directives: - - magic_quotes_gpc. This affects GET, POST and COOKIE - data. This information is populated by the end users of the script. - - - magic_quotes_runtime. If enabled, most functions - that return data from any sort of external source including databases and text files will have - quotes escaped with a backslash. - - - magic_quotes_sybase. If enabled, a single-quote - is escaped with a single-quote instead of a backslash. - - - This setting will completely override magic_quotes_gpc. Having both directives enabled means - only single quotes are escaped as ''. Double quotes, backslashes and NULL's - will remain untouched and unescaped. - - + + + + magic_quotes_gpc + + + Affects HTTP Request data (GET, POST, and COOKIE). Cannot be set at + runtime, and defaults to on in PHP. + + + See also get_magic_quotes_gpc. + + + + + magic_quotes_runtime + + + If enabled, most functions that return data from an external source, + including databases and text files, will have quotes escaped with a + backslash. Can be set at runtime, and defaults to on + in PHP. + + + See also set_magic_quotes_runtime and + get_magic_quotes_runtime. + + + + + magic_quotes_sybase + + + If enabled, a single-quote is escaped with a single-quote instead of a + backslash. If on, it completely overrides + magic_quotes_gpc. Having + both directives enabled means only single quotes are escaped as + ''. Double quotes, backslashes and NULL's will + remain untouched and unescaped. + + + See also ini_get for retrieving its value. + + + + - + Why use Magic Quotes - - Magic-quotes were implemented in PHP to reduce code written by beginners from being dangerous. - - - Magic Quotes are enabled by default. - - - If you disable magic quotes, you must be very careful to protect yourself from - SQL Injection Attacks. - - + + + + Useful for beginners + + + Magic quotes are implemented in PHP to help code written by beginners + from being dangerous. Although + SQL Injection + is still possible with magic quotes on, the risk is reduced. + + + + + Convenience + + + For inserting data into a database, magic quotes essentially runs + addslashes on all Get, Post, and Cookie data, + and does so automagically. + + + + - + Why not to use Magic Quotes - - Portability, performance, etc. - - + + + + Portability + + + Assuming it to be on, or off, affects portability. Use + get_magic_quotes_gpc to check for this, and code + accordingly. + + + + + Performance + + + Because not every piece of escaped data is inserted into a + database, there is a performance loss for escaping all this data. + Simply calling on the escaping functions (like + addslashes) at runtime is more efficient. + + + Although php.ini-dist enables these directives + by default, php.ini-recommended disables it. + This recommendation is mainly due to performance reasons. + + + + + Inconvenience + + + Because not all data needs escaping, it's often annoying to see escaped + data where it shouldn't be. For example, emailing from a form, and + seeing a bunch of \' within the email. To fix, this may require + excessive use of stripslashes. + + + + - + Disabling Magic Quotes - Optimally, Magic Quotes should be disabled server side. + The magic_quotes_gpc + directive may only be disabled at the system level, and not at + runtime. In otherwords, use of ini_set is not + an option. Disabling magic quotes server side - Set the value of magic_quotes_gpc and magic_quotes_runtime to Off in the - php.ini. + An example that sets the value of these directives to + Off in &php.ini;. For additional details, read the + manual section titled How to + change configuration settings. - If you do not have access to the server config, you can put this - line in a ".htaccess" file. This will disable magic_quotes. + If access to the server configuration is unavilable, use of + .htaccess is also an option. For example: - In the interests of writing portable code (code that works - in any environment), or, if you do not have access to change - php.ini, you may wish to disable the effects of magic quotes - on a per-script basis. + In the interest of writing portable code (code that works in any + environment), like if setting at the server level is not possible, + here's an example to disable + magic_quotes_gpc at runtime. This method is inefficient so + it's preferred to instead set the appropriate directives elsewhere. @@ -133,8 +212,7 @@ if (get_magic_quotes_gpc()) { - - +