On Wed, Jul 13, 2011 at 9:50 PM, Moshe, Sam <sam.mo...@tmng.com> wrote: > I'm sure this has been discussed, but I'm new here, and uncertain as to > where to go to get caught up. > What's so wrong with magic quotes that they need to be removed from the > language entirely? > > Links of advice would be helpful. > Thanks. >
for starters: http://php.net/manual/en/security.magicquotes.whynot.php http://shiflett.org/blog/2006/jan/addslashes-versus-mysql-real-escape-string there are 3 major problems: - magic_quotes is magic, it is implicit, you didn't know or care about it, but if your code depends on it, but you didn't check that it is turned on or not, your code will be vulnerable in the new environment. - magic_quotes gives you a false sense of security, as it is uses addslashes, and that doesn't prevent the xss injections for example - addslashes can save you from the sql injection related vulnerabilities, but as it doesn't care about encodings and couldn't possibly know what are you using for you db connection, it can be circumvented: http://shiflett.org/blog/2006/jan/addslashes-versus-mysql-real-escape-string so it is better that nothing, but isn't a 100% safe solution but it prevents the users from learning the proper way to secure their applications. -- Ferenc Kovács @Tyr43l - http://tyrael.hu -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
