What are magic quotes runtime in PHP?
Asked Answered
R

3

10

I'm totally aware of the aberration of Magic Quotes in PHP, how it is evil and I avoid them like pest, but what are magic_quotes_runtime? From php.ini:

Magic quotes for runtime-generated data, e.g. data from SQL, from exec(), etc.

Is is something I should check if ON and turn OFF with:

set_magic_quotes_runtime(false);

Is it often ON by default? I know it's deprecated in 5.3.0 and removed in 6.0.0 but since my script support 5.1.0+ I would like to know how to handle this in "legacy" PHP (if it's relevant).

Edit: To make things clear I want to exit('Turn OFF Magic Quotes'); when Magic quotes are ON. I'm not relying on them!

Rosinski answered 22/1, 2010 at 15:59 Comment(0)
F
6

If magic_quotes_runtime is enabled, most functions that return data from any sort of external source including databases and text files will have quotes escaped with a backslash. If magic_quotes_sybase is also on, a single-quote is escaped with a single-quote instead of a backslash.

http://www.php.net/manual/en/info.configuration.php#ini.magic-quotes-runtime

Ferrara answered 22/1, 2010 at 16:4 Comment(7)
If the link contains the answer why not just writing the link?Ferrara
@Ferrara Because it requires the user to hunt down the solution, and links may change, but text posted here won't. (-1 removed)Abstract
Does magic_quotes_runtime @ ON is a nuisance? Should I turn em OFF when ON? Or even exit() the script with a message telling to turn em OFF?Rosinski
But why do you have to use them? It's deprecated so if you are writing code don't use it. Anyway if you must set magic_quotes_runtime set it to false because if you look at the link that i write on the top of the page there's the default value and it's false.Ferrara
I'm NOT using them. I want to know what to do if they are ON (stay them at ON, turn em OFF, exit() script with warning...).Rosinski
I don't know what do you want to do but i don't think that you must care about them, anyway if they can generate errors print the warning message or try to set them OFF with ini_set().Ferrara
@Ferrara because of some times pages will remove from the reference website, like https://www.php.net/manual/en/function.set-magic-quotes-runtime.php removed on OCT-2020 ! Why ?Emogene
I
1

You could use ini_get to check for it's value, like this:

ini_get('magic_quotes_runtime');

Also you should wrap calls to set_magic_quotes_runtime/get_magic_quotes_runtime in function_exists calls, like that:

if (function_exists('set_magic_quotes_runtime')) {
set_magic_quotes_runtime(true/false);
}

But of course, one should not rely on magic quotes at all and should have them disabled if possible. Se this link for a coule of reasons why: Archive.org: http://www.php.net/manual/en/security.magicquotes.whynot.php

Impend answered 22/1, 2010 at 16:4 Comment(0)
B
0

If magic quotes are ON, php will automatically escape quotes coming in POST or GET variables and automatically un-escape them when pulling data out of a database for example.

If you use things like addslashes(), mysql_escape_string() or mysql_real_escape_string() with magic quotes on, you'll end up double-escaping quotes.

The reason it's evil is the same reason addslashes() and mysql_escape_string() are evil - because it doesn't capture every possible method of putting a quote in a string. It gives you a false sense of security in thinking that you don't have to worry about escaping quotes anymore when in reality you still do.

Also, as if escaping strings wasn't enough of a PITA already, now you have to check if magic quotes are on or off before you try to escape or un-escape a string to avoid double escaping.

Bush answered 22/1, 2010 at 16:9 Comment(3)
Not asking what "Magic Quotes" are I know that too well. What I'm asking is what are "magic_quotes_runtime"? What data is escaped by this setting?Rosinski
@Rosinski - The two settings work in conjunction. the GPC one is for POST, GET and COOKIE data, the runtime one is for more-or-less everything else (files, mysql, etc). If your question is "what EXACTLY is 'everything else'?" then alexb has the answer in his link.Bush
It's mck89 link not alexb one :)Rosinski

© 2022 - 2024 — McMap. All rights reserved.