Page 1 of 2 Recently, I installed a PHP-based learning management system which required that the PHP directive magic_quotes_gpc be turned off in order to operate. I knew that at some point I would need to restructure my PHP scripts to be compatible with the forthcoming PHP 6, but I hadn't planned on doing that anytime soon. The requirement of this application forced me to deal with this reality sooner rather than later, but it also helped me currently increase the security of my scripts.
"Any sufficiently badly-written science is indistinguishable from magic."
-Aaron Allston
When PHP was first developed, it was done in a way to make web scripting easier for novice developers. Indeed, the convenience of PHP was a big lure for me back in 2003 when I switched from Perl. The low-level CGI data handling that I needed in each Perl script was automatically performed in PHP and, thusly, I was able to focus more of my programming energies on the specific tasks of each script. While I came to PHP with programming experience, PHP 3 was developed specifically to lower those programming barriers for novices.
The advent of PHP 4 introduced the realization that novice convenience also featured significant vulnerabilities as an expense. PHP development then began to include a progressive movement toward more and more secure data handling methods. To keep from losing newfound market share for the fledgling scripting language it kept the original insecure methods with admonitions. Today, PHP is maturing as a scripting language and with significant market share, it is no longer catering to the needs of absolute beginners.
Magic Quotes is a specific method which portrays this transition. The Magic Quotes directive or set_magic_quotes_runtime() function (in case you don't know) automatically escapes CGI data received by your PHP scripts. The original intent of the automated escaping of your incoming data was to help you avoid SQL injection attacks. While this method alone has been long since proven to be insufficient, the Magic Quotes directive still remains on a significant number of servers. Many novice programmers are not even aware that this process is happening for them. The other problem with Magic Quotes is that it escapes all of your data whether you intend to submit it to a database or not, forcing you to strip out the slashes if you wish to use the incoming data for any other presentational purpose.
PHP 5.3.0, released June 30, 2009, deprecated the magic_quotes_gpc directive. While Magic Quotes will still function in this version, you should see a warning that it has been relegated and will be removed altogether as of the release of PHP 6. Currently, there is no scheduled release date for PHP 6 but many speculate this may happen sometime in 2010. This means that you will definitely need to revise any scripts relying on Magic Quotes before you can upgrade to PHP 6.
I recommend that you get out your project list right now and add this item. If you are thinking about PHP 6, you may think that you have some time before you need to accomplish this task but you may also, like me, desire to install a forward-thinking and secure package which will force you to make this change. Below is a checklist to assess the use of Magic Quotes on your server and some tips for readying your scripts.
Keywords
PHP, MYSQL, Magic Quotes, ini, phpinfo, magic_quotes_gpc, get_magic_quotes_gpc, stripslashes, mysql_real_escape_string, escape, sql injection attack, php 6, register_globals, safe_mode
