Magic quotes
Encyclopedia
Magic quotes is a controversial feature of the PHP
scripting language
, which was introduced to help newcomers write functioning SQL commands without requiring manual escaping. It was later described and widely misinterpreted as help to prevent inexperienced developers from writing code
which is vulnerable to SQL injection
attacks. This feature is officially deprecated as of PHP 5.3.0, and removed in PHP 5.4 due to security concerns.
The use scope was expanded in PHP3. Single quotes, double quotes, backslashes and null characters in all user-supplied data all have a backslash prepended to them before being passed to the script in the
Problems with magic quotes include:
In November 2005 the core PHP developers decided on account of these problems that the magic quotes feature would be removed from PHP 6.
PHP
PHP is a general-purpose server-side scripting language originally designed for web development to produce dynamic web pages. For this purpose, PHP code is embedded into the HTML source document and interpreted by a web server with a PHP processor module, which generates the web page document...
scripting language
Scripting language
A scripting language, script language, or extension language is a programming language that allows control of one or more applications. "Scripts" are distinct from the core code of the application, as they are usually written in a different language and are often created or at least modified by the...
, which was introduced to help newcomers write functioning SQL commands without requiring manual escaping. It was later described and widely misinterpreted as help to prevent inexperienced developers from writing code
Source code
In computer science, source code is text written using the format and syntax of the programming language that it is being written in. Such a language is specially designed to facilitate the work of computer programmers, who specify the actions to be performed by a computer mostly by writing source...
which is vulnerable to SQL injection
SQL injection
A SQL injection is often used to attack the security of a website by inputting SQL statements in a web form to get a badly designed website in order to dump the database content to the attacker. SQL injection is a code injection technique that exploits a security vulnerability in a website's software...
attacks. This feature is officially deprecated as of PHP 5.3.0, and removed in PHP 5.4 due to security concerns.
Concept
The current revision of the PHP manual mentions the rationale behind magic quotes is to "help [prevent] code written by beginners from being dangerous." It was however originally introduced in PHP2 as php.h compile-time setting for msql and only escaping single quotes "making it easier to pass form data directly to msql queries". It originally was intended as "convenience feature, not as security feature.".The use scope was expanded in PHP3. Single quotes, double quotes, backslashes and null characters in all user-supplied data all have a backslash prepended to them before being passed to the script in the
$_GET, $_REQUEST, $_POST and $_COOKIE global variables. Developers can then in theory use string concatenation safely to construct SQL queries with data provided by the user. (Which was true at best around PHP2 and PHP3, when the primarily supported databases only allowed 1-byte character sets.)Criticism
Magic quotes were enabled by default in new installations of PHP3 and 4, and since their operation is behind the scenes and not immediately obvious, developers may be unaware of their existence and the potential problems that they can introduce. The PHP documentation points out several pitfalls and recommends that, despite being enabled by default, they should be disabled.Problems with magic quotes include:
- Not all data that are supplied by the user are intended for insertion into a database. They may be rendered directly to the screen, stored in a session, or previewed before saving. This can result in backslashes being added where they are not wanted and being shown to the end user. This bug often creeps into even widely used software.
- Not all data that are supplied by the user and used in a database query are obtained directly from sources protected by magic quotes. For instance, a user-supplied value might be inserted into a database — protected by magic quotes — and later retrieved from the database and used in a subsequent database operation. The latter use is not protected by magic quotes, and a naive programmer used to relying on them may be unaware of the need to protect it explicitly.
- Magic quotes also use the generic functionality provided by PHP's
addslashesfunction, which is not Unicode aware and still subject to SQL injection vulnerabilities in some multi-byte character encodings. Database-specific functions such asmysql_real_escape_stringor, where possible, prepared queries with bound parameters are preferred. - While many DBMS support escaping quotes with a backslash, the standard actually calls for using another quote. Magic quotes offer no protection for databases not set up to support escaping quotes with a backslash.
- Portability is an issue if an application is coded with the assumption that magic quotes are enabled and is then moved to a server where they are disabled, or the other way round.
- Adding magic quotes and subsequently removing them where appropriate incurs a small but unnecessary performance overhead.
- Magic quotes do not protect against other common security vulnerabilities such as cross-site scriptingCross-site scriptingCross-site scripting is a type of computer security vulnerability typically found in Web applications that enables attackers to inject client-side script into Web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same...
attacks or SMTP header injection attacks.
In November 2005 the core PHP developers decided on account of these problems that the magic quotes feature would be removed from PHP 6.
Other approaches
- Some languages such as PerlPerlPerl is a high-level, general-purpose, interpreted, dynamic programming language. Perl was originally developed by Larry Wall in 1987 as a general-purpose Unix scripting language to make report processing easier. Since then, it has undergone many changes and revisions and become widely popular...
and RubyRuby (programming language)Ruby is a dynamic, reflective, general-purpose object-oriented programming language that combines syntax inspired by Perl with Smalltalk-like features. Ruby originated in Japan during the mid-1990s and was first developed and designed by Yukihiro "Matz" Matsumoto...
opt for an approach involving data taintingTaint checkingTaint checking is a feature in some computer programming languages, such as Perl and Ruby, designed to increase security by preventing malicious users from executing commands on a host computer...
, where data from untrusted sources, such as user input, are considered "tainted" and can not be used for dangerous operations until explicitly marked as trustworthy, usually after validation and/or encoding. Since the construction of SQL queries is considered "dangerous" in this context, this forces the programmer to address the problem. Tainting does not solve the problem, but it does highlight those instances where there is a problem so that the programmer is able to solve them appropriately. - Joel SpolskyJoel SpolskyAvram Joel Spolsky is a software engineer and writer. He is the author of Joel on Software, a blog on software development. He was a Program Manager on the Microsoft Excel team between 1991 and 1994. He later founded Fog Creek Software in 2000 and launched the Joel on Software blog...
has suggested using a form of Hungarian notationHungarian notationHungarian notation is an identifier naming convention in computer programming, in which the name of a variable or function indicates its type or intended use...
that indicates whether data are safe or unsafe. - Modern database engines and libraries use parameterised queries to pass data to the database separately from SQL commands, greatly reducing the need to escape data before constructing the queries.