PHP :: Request #3441 :: Magicquotes is not good.

Request #3441	Magicquotes is not good.
Submitted:	2000-02-09 23:33 UTC	Modified:	2000-02-16 18:16 UTC
From:	eric at friesen dot org	Assigned:
Status:	Closed	Package:	Feature/Change Request
PHP Version:	3.0.14	OS:	RedHat Linux 6.1
Private report:	No	CVE-ID:	None

View Add Comment Developer Edit

Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.

php.net Username: php.net Password:

Quick Fix:	(description)
	Block user comment
Status:		Assign to:
Package:
Bug Type:
Summary:
From:	eric at friesen dot org
New email:
PHP Version:		OS:

New/Additional Comment:

[2000-02-09 23:33 UTC] eric at friesen dot org

Magicquotes behaves in a very awkward manner. Magicquotes keeps on generating more and more backslashes in your variables if you use them in forms or in outputting HTML where you normally only want them for use in MySQL functions for example. In PERL you can formulate your SQL like so:

$SQL_COMMAND = "select * from table where field like ?";
$dbh->prepare($SQL_COMMAND,$variable);

this makes your sql query immune to the variable containing quotes and backslashes. But PHP lacks this feature and magicquotes sucks for this. Sure GPC guarantees that you won't have nay unescaped characters in your variable for this situation but for every other situation (echo, mail or any HTML output) you are going to be stripping the slashes in a rather annoying amount.

The problem with using magicquotes can be demonstrated if you do this
test.php3:
<FORM action="test.php3" method="GET">
<? echo '<INPUT type="TEXT" name="test" value="' . $test . '">' ?>
<INPUT TYPE="SUBMIT"></FORM>

you will just keep on duplicating backslashes unless everytime you go to use a variable you strip the slashes.
If PHP could do something like this:

$var1 = '" or username="root';
mysql_do('select password from user where username="?"',$var1);

and you wouldn't have a problem because it would recognize the ? as a place holder for the backslashed $var1.

Thanks

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2000-02-16 18:16 UTC] sas at cvs dot php dot net

If you dislike magic quotes, don't use that feature. You can write your queries like this:

mysql_query(sprintf("select * from foo where bar = '%s'", addslashes($input_data)));

which makes the distinction of query language and data clear.

Ad follows:

The magic quotes chapter of "Professional PHP Programming" contains more information about when to use magic quotes and how you can replace it effectively.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Sun May 19 16:01:31 2024 UTC