Why not to use Magic Quotes

  • Portability Assuming it to be on, or off, affects portability. Use get_magic_quotes_gpc() to check for this, and code accordingly.
  • Performance Because not every piece of escaped data is inserted into a database, there is a performance loss for escaping all this data. Simply calling on the escaping functions (like addslashes()) at runtime is more efficient. Although php.ini-dist enables these directives by default, php.ini-recommended disables it. This recommendation is mainly due to performance reasons.
  • Inconvenience Because not all data needs escaping, it's often annoying to see escaped data where it shouldn't be. For example, emailing from a form, and seeing a bunch of \' within the email. To fix, this may require excessive use of stripslashes().

Коментарии

Автор:
It is also important to disable Magic Quotes while in development enivronment. For the reasons mentioned above, not everybody is using Magic Quotes.

An application that works fine with Magic Quotes enabled may have security problems (ie can be subject to SQL attacks) when distributed.
2006-02-11 15:47:15
http://php5.kiev.ua/manual/ru/security.magicquotes.whynot.html
Additionally, addslashes() is not a cure-all against SQL injection attacks. You should use your database's dedicated escape function (such as mysql_escape_string) or better yet, use parameterised queries through mysqli->prepare().
2007-06-13 05:50:42
http://php5.kiev.ua/manual/ru/security.magicquotes.whynot.html
I find it useful to define a simple utility function for magic quotes so the application functions as expected regardless of whether magic_quotes_gpc is on:

function strip_magic_slashes($str)
{
    return get_magic_quotes_gpc() ? stripslashes($str) : $str;
}

Which can be annoying to add the first time you reference every $_GET /$_POST/$_COOKIE variable, but it prevents you from demanding your users to change their configurations.
2007-12-06 22:45:08
http://php5.kiev.ua/manual/ru/security.magicquotes.whynot.html
Автор:
Another reason against it: security. You could be lulled in a feeling of false security if you have magic_quotes=On on a test server and Off on production server. 

And another: readability of the code. If you want to be portable you need to resort to some weird solution, outlines on these pages (if (get_magic_quotes())...).

Let's hope magic_quotes soon goes to history together with safe_mode and similar "kind-of-security" (but in reality just a nuisance) inventions.
2008-10-13 18:23:55
http://php5.kiev.ua/manual/ru/security.magicquotes.whynot.html
Автор:
This is what I use to handle magic quotes

<?php

if (get_magic_quotes_gpc()) {
    function 
strip_array($var) {
        return 
is_array($var)? array_map("strip_array"$var):stripslashes($var);
    }

   
$_POST strip_array($_POST);
   
$_SESSION strip_array($_SESSION);
   
$_GET strip_array($_GET);
}

?>
2010-09-09 09:46:42
http://php5.kiev.ua/manual/ru/security.magicquotes.whynot.html

    Поддержать сайт на родительском проекте КГБ