aidan Tue Sep 7 11:11:46 2004 EDT
Modified files:
/phpdoc/en/security magicquotes.xml
Log:
General structure defined. More work required - please make additions.
http://cvs.php.net/diff.php/phpdoc/en/security/magicquotes.xml?r1=1.1&r2=1.2&ty=u
Index: phpdoc/en/security/magicquotes.xml
diff -u phpdoc/en/security/magicquotes.xml:1.1 phpdoc/en/security/magicquotes.xml:1.2
--- phpdoc/en/security/magicquotes.xml:1.1 Tue Sep 7 10:29:21 2004
+++ phpdoc/en/security/magicquotes.xml Tue Sep 7 11:11:46 2004
@@ -1,20 +1,112 @@
<?xml version="1.0" encoding="iso-8859-1"?>
-<!-- $Revision: 1.1 $ -->
+<!-- $Revision: 1.2 $ -->
<chapter id="security.magicquotes">
<title>Magic Quotes</title>
+
<para>
- Magic-quotes was added to reduce code written by beginners from being dangerous.
- If you disable magic quotes, you must be very careful to protect yourself from
- SQL injection attacks.
+ Magic Quotes is a process which automatically escapes all incoming data to a PHP
script.
</para>
+ <warning>
+ <para>
+ You should NOT rely on this feature. It is strongly prefered to turn this off,
and deal with
+ user input properly.
+ </para>
+ </warning>
+
+ <sect1 id="security.magicquotes.what">
+ <title>What are Magic Quotes</title>
+ <para>
+ When on, all <literal>'</literal> (single-quote), <literal>"</literal> (double
quote),
+ <literal>\</literal> (backslash) and <literal>NULL</literal> characters are
escaped with a
+ backslash automatically.
+ </para>
+ <para>
+ Magic Quotes has 3 Modes of operation.
+ </para>
+ <para>
+ <link linkend="ini.magic_quotes_gpc">magic_quotes_gpc</link>. This affects GET,
POST and COOKIE
+ data. This information is populated by the end users of the script.
+ </para>
+ <para>
+ <link linkend="ini.magic_quotes_runtime">magic_quotes_runtime</link>. If
enabled, most functions
+ that return data from any sort of external source including databases and text
files will have
+ quotes escaped with a backslash.
+ </para>
+ <para>
+ <link linkend="ini.magic_quotes_sybase">magic_quotes_sybase</link>. If enabled,
a single-quote
+ is escaped with a single-quote instead of a backslash.
+ </para>
+ <para>
+ This setting will completely override magic_quotes_gpc. Having both directives
enabled means
+ only single quotes are escaped as <literal>''</literal>. Double quotes,
backslashes and NULL's
+ will remain untouched and unescaped.
+ </para>
+ </sect1>
+
+ <sect1 id="security.magicquotes.why">
+ <title>Why use Magic Quotes</title>
+ <para>
+ Magic-quotes were implemented in PHP to reduce code written by beginners from
being dangerous.
+ </para>
+ <para>
+ Magic Quotes are enabled by default.
+ </para>
+ <para>
+ If you disable magic quotes, you must be very careful to protect yourself from
+ <link linkend="security.database.sql-injection">SQL Injection Attacks</link>.
+ </para>
+ </sect1>
+
+ <sect1 id="security.magicquotes.whynot">
+ <title>Why not to use Magic Quotes</title>
+ <para>
+ Portability, performance, etc.
+ </para>
+ </sect1>
<sect1 id="security.magicquotes.disabling">
<title>Disabling Magic Quotes</title>
<para>
+ Optimally, Magic Quotes should be disabled server side.
+ </para>
+ <para>
+ <example>
+ <title>Disabling magic quotes server side</title>
+ <para>
+ Set the value of magic_quotes_gpc and magic_quotes_runtime to Off in the
+ php.ini.
+ </para>
+ <screen>
+<![CDATA[
+; Magic quotes
+;
+
+; Magic quotes for incoming GET/POST/Cookie data.
+magic_quotes_gpc = Off
+
+; Magic quotes for runtime-generated data, e.g. data from SQL, from exec(), etc.
+magic_quotes_runtime = Off
+
+; Use Sybase-style magic quotes (escape ' with '' instead of \').
+magic_quotes_sybase = Off
+]]>
+ </screen>
+ <para>
+ If you do not have access to the server config, you can put this
+ line in a ".htaccess" file. This will disable magic_quotes.
+ </para>
+ <screen>
+<![CDATA[
+php_value magic_quotes_gpc Off
+]]>
+ </screen>
+ </example>
+ </para>
+ <para>
In the interests of writing portable code (code that works
in any environment), or, if you do not have access to change
php.ini, you may wish to disable the effects of magic quotes
- on a per-script basis. This can be done several different ways.
+ on a per-script basis.
</para>
<para>
<example>
@@ -41,6 +133,7 @@
</programlisting>
</example>
</para>
+
</sect1>
</chapter>
