Magic quotes

Last updated September 03, 2020 • 4 min readFrom Wikipedia, The Free Encyclopedia

Magic quotes was a feature of the PHP scripting language, wherein strings are automatically escaped —special characters are prefixed with a backslash —before being passed on. It was introduced to help newcomers write functioning SQL commands without requiring manual escaping. It was later described as intended to prevent inexperienced developers from writing code that was vulnerable to SQL injection attacks.

Concept

The current revision of the PHP manual mentions that the rationale behind magic quotes was to "help [prevent] code written by beginners from being dangerous."^[2] It was however originally introduced in PHP 2 as a php.h compile-time setting for msql, only escaping single quotes, "making it easier to pass form data directly to msql queries".^[3] It originally was intended as a "convenience feature, not as [a] security feature."^[4]^[5]

The use scope for magic quotes was expanded in PHP 3. Single quotes, double quotes, backslashes and null characters in all user-supplied data all have a backslash prepended to them before being passed to the script in the $_GET, $_REQUEST, $_POST and $_COOKIE global variables. Developers can then in theory use string concatenation to construct safe SQL queries with data provided by the user. (This was most accurate when PHP 2 and PHP 3 were current, since the primary supported databases allowed only 1-byte character sets.)

Criticism

Magic quotes were enabled by default in new installations of PHP 3 and 4, but could be disabled through the magic_quotes_gpc configuration directive. Since the operation of magic quotes was behind the scenes and not immediately obvious, developers may have been unaware of their existence and the potential problems that they could introduce. The PHP documentation pointed out several pitfalls and recommended that, despite being enabled by default, they should be disabled.^[6]

Problems with magic quotes included:

Not all data that are supplied by the user are intended for insertion into a database. They may be rendered directly to the screen, stored in a session, or previewed before saving. This can result in backslashes being added where they are not wanted and being shown to the end user. This bug often creeps into even widely used software.^[7]
Not all data that are supplied by the user and used in a database query are obtained directly from sources protected by magic quotes. For instance, a user-supplied value might be inserted into a database, protected by magic quotes, and later retrieved from the database and used in a subsequent database operation. The latter use is not protected by magic quotes, and a naive programmer used to relying on them may be unaware of the need to protect it explicitly.
Magic quotes also use the generic functionality provided by PHP's addslashes() function, which is not Unicode-aware and is still subject to SQL injection vulnerabilities in some multi-byte character encodings. Database-specific functions such as mysql_real_escape_string() or, where possible, prepared queries with bound parameters, are preferred.^[8]^[9]
While many database management systems support escaping quotes with a backslash, the standard actually calls for using another quote. Magic quotes offer no protection for databases not set up to support escaping quotes with a backslash.
Portability is an issue if an application is coded with the assumption that magic quotes are enabled and is then moved to a server where they are disabled, or vice versa.
Adding magic quotes and subsequently removing them where appropriate incurs a small but unnecessary amount of performance overhead.
Magic quotes do not protect against other common security vulnerabilities such as cross-site scripting attacks or SMTP header injection attacks.

In November 2005 the core PHP developers decided that because of these problems, the magic quotes feature would be removed from PHP 6.^[10] When development of PHP 6 stalled and development continued on the 5.x branch instead, the feature was deprecated in PHP 5.3.0 and removed in 5.4.^[1]

Other approaches

Some languages such as Perl ^[11] and Ruby ^[12] opt for an approach involving data tainting, where data from untrusted sources, such as user input, are considered "tainted" and can not be used for dangerous operations until explicitly marked as trustworthy, usually after validation or encoding. Since the construction of SQL queries is considered "dangerous" in this context, this forces the programmer to address the problem. Tainting does not solve the problem, but it does highlight those instances where there is a problem so that the programmer is able to solve them appropriately.
Joel Spolsky has suggested using a form of Hungarian notation that indicates whether data are safe or unsafe.^[13]
Modern database engines and libraries use parameterised queries to pass data to the database separately from SQL commands, greatly reducing the need to escape data before constructing the queries.

Related Research Articles

MySQL is an open-source relational database management system (RDBMS). Its name is a combination of "My", the name of co-founder Michael Widenius's daughter, and "SQL", the abbreviation for Structured Query Language. A relational database organizes data into one or more data tables in which data types may be related to each other; these relations help structure the data. SQL is a language programmers use to create, modify and extract data from the relational database, as well as control user access to the database. In addition to relational databases and SQL, an RDBMS like MySQL works with an operating system to implement a relational database in a computer's storage system, manages users, allows for network access and facilitates testing database integrity and creation of backups.

Microsoft Access is a database management system (DBMS) from Microsoft that combines the relational Microsoft Jet Database Engine with a graphical user interface and software-development tools. It is a member of the Microsoft Office suite of applications, included in the Professional and higher editions or sold separately.

PHP is a general-purpose scripting language that is especially suited to web development. It was originally created by Danish-Canadian programmer Rasmus Lerdorf in 1994; the PHP reference implementation is now produced by The PHP Group. PHP originally stood for Personal Home Page, but it now stands for the recursive initialism PHP: Hypertext Preprocessor.

In computers, case sensitivity defines whether uppercase and lowercase letters are treated as distinct (case-sensitive) or equivalent (case-insensitive). For instance, when users interested in learning about dogs search an e-book, "dog" and "Dog" are of the same significance to them. Thus, they request a case-insensitive search. But when they search an online encyclopedia for information about the United Nations, they may prefer a case-sensitive search.

A string literal or anonymous string is a type of literal in programming for the representation of a string value within the source code of a computer program. Most often in modern languages this is a quoted sequence of characters, as in x = "foo", where "foo" is a string literal with value foo – the quotes are not part of the value, and one must use a method such as escape sequences to avoid the problem of delimiter collision and allow the delimiters themselves to be embedded in a string. However, there are numerous alternate notations for specifying string literals, particularly more complicated cases, and the exact notation depends on the individual programming language in question. Nevertheless, there are some general guidelines that most modern programming languages follow.

SQL injection is a code injection technique, used to attack data-driven applications, in which malicious SQL statements are inserted into an entry field for execution. SQL injection must exploit a security vulnerability in an application's software, for example, when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and unexpectedly executed. SQL injection is mostly known as an attack vector for websites but can be used to attack any type of SQL database.

Server-side refers to operations that are performed by the server in a client–server relationship in a computer network.

Oracle Application Express is a web-based software development environment that runs on an Oracle database. It is fully supported and comes standard with all Oracle Database editions and, starting with Oracle 11g, is installed by default as part of the core database install.

Code injection is the exploitation of a computer bug that is caused by processing invalid data. Injection is used by an attacker to introduce code into a vulnerable computer program and change the course of execution. The result of successful code injection can be disastrous, for example by allowing computer worms to propagate.

The following tables compare general and technical information for a number of relational database management systems. Please see the individual products' articles for further information. Unless otherwise specified in footnotes, comparisons are based on the stable versions without any add-ons, extensions or external programs.

The Microsoft Jet Database Engine is a database engine on which several Microsoft products have been built. The first version of Jet was developed in 1992, consisting of three modules which could be used to manipulate a database.

Taint checking is a feature in some computer programming languages, such as Perl and Ruby, designed to increase security by preventing malicious users from executing commands on a host computer. Taint checks highlight specific security risks primarily associated with web sites which are attacked using techniques such as SQL injection or buffer overflow attack approaches.

In computer programming, leaning toothpick syndrome (LTS) is the situation in which a quoted expression becomes unreadable because it contains a large number of escape characters, usually backslashes ("\"), to avoid delimiter collision.

In software development, a leaky abstraction is an abstraction that leaks details that it is supposed to abstract away.

Microsoft SQL Server is a relational database management system developed by Microsoft. As a database server, it is a software product with the primary function of storing and retrieving data as requested by other software applications—which may run either on the same computer or on another computer across a network. Microsoft markets at least a dozen different editions of Microsoft SQL Server, aimed at different audiences and for workloads ranging from small single-machine applications to large Internet-facing applications with many concurrent users.

The following tables compare general and technical information for a number of available database administrator tools. Please see individual product articles for further information. This article is neither all-inclusive nor necessarily up to date.

The Doctrine Project is a set of PHP libraries primarily focused on providing persistence services and related functionality. Its prize projects are an object-relational mapper (ORM) and the database abstraction layer it is built on top of.

The MySQLi Extension is a relational database driver used in the PHP scripting language to provide an interface with MySQL databases.

In database management systems (DBMS), a prepared statement or parameterized statement is a feature used to execute the same or similar database statements repeatedly with high efficiency. Typically used with SQL statements such as queries or updates, the prepared statement takes the form of a template into which certain constant values are substituted during each execution.

The following outline is provided as an overview of and topical guide to MySQL:

References

1 2 "Magic Quotes". PHP Manual. PHP.net. Retrieved 2014-01-17.
↑ "PHP:Why use magic quotes?". PHP documentation. Retrieved 2007-02-19.
↑ "If the MAGIC_QUOTES variable is defined in the php.h file then these quotes will be automatically escaped making it easier to pass form data directly to msql queries" . Retrieved 2011-03-27.
↑ "Magic Quotes is oft-understood, even by journeymen PHP programmers".
↑ "Re: [PHP3] what are magic_quotes?". PHP-dev mailing list. 1999-08-27. Retrieved 2011-01-17.
↑ "PHP:Why not to use magic quotes". PHP documentation. Retrieved 2007-02-19.
↑ "Quotation marks are double escaped when editing a comment". WordPress issue tracker. Retrieved 2007-02-19.
↑ Chris Shiflett. "addslashes() versus mysql_real_escape_string()" . Retrieved 2007-02-19.
↑ MySQL AB. "Changes in release 5.0.22 (24 May 2006)". MySQL 5.0 Reference Manual. Archived from the original on 22 February 2007. Retrieved 2007-02-19.
↑ PHP Group (2005-11-12). "Minutes PHP Developers Meeting" . Retrieved 2007-02-19.
↑ Dan Ragle (2006-04-18). "Introduction to Perl's Taint Mode". webreference.com. Retrieved 2007-03-21.
↑ "Locking Ruby in the Safe". Programming Ruby. Archived from the original on 2009-05-30. Retrieved 2014-05-21.
↑ Joel Spolsky (2005-05-11). "Making Wrong Code Look Wrong". Joel on Software: Painless Software Management. Retrieved 2007-02-19.

External links

PHP manual on magic quotes

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[:0-1] 1 2 "Magic Quotes". PHP Manual. PHP.net. Retrieved 2014-01-17.

[2] "PHP:Why use magic quotes?". PHP documentation. Retrieved 2007-02-19.

[3] "If the MAGIC_QUOTES variable is defined in the php.h file then these quotes will be automatically escaped making it easier to pass form data directly to msql queries" . Retrieved 2011-03-27.

[4] "Magic Quotes is oft-understood, even by journeymen PHP programmers".

[5] "Re: [PHP3] what are magic_quotes?". PHP-dev mailing list. 1999-08-27. Retrieved 2011-01-17.

[6] "PHP:Why not to use magic quotes". PHP documentation. Retrieved 2007-02-19.

[7] "Quotation marks are double escaped when editing a comment". WordPress issue tracker. Retrieved 2007-02-19.

[8] Chris Shiflett. "addslashes() versus mysql_real_escape_string()" . Retrieved 2007-02-19.

[9] MySQL AB. "Changes in release 5.0.22 (24 May 2006)". MySQL 5.0 Reference Manual. Archived from the original on 22 February 2007. Retrieved 2007-02-19.

[10] PHP Group (2005-11-12). "Minutes PHP Developers Meeting" . Retrieved 2007-02-19.

[11] Dan Ragle (2006-04-18). "Introduction to Perl's Taint Mode". webreference.com. Retrieved 2007-03-21.

[12] "Locking Ruby in the Safe". Programming Ruby. Archived from the original on 2009-05-30. Retrieved 2014-05-21.

[13] Joel Spolsky (2005-05-11). "Making Wrong Code Look Wrong". Joel on Software: Painless Software Management. Retrieved 2007-02-19.