A.8. magic_quotes_gpc
The magic_quotes_gpc directive is a popular directive meant to prevent SQL injection. It is a flawed approach for a number of reasons, including the fact that it escapes input.
It escapes all data in $_GET, $_POST, and $_COOKIE using the same rules as the addslashes( ) function. Thus, it does not use an escaping
function native to your database.
You should always disable get_magic_quotes_gpc for two primary reasons:
It adds complexity to your input filtering logic, because it modifies data prior to executing your code. For example, your filtering logic for a last name might allow only alphabetic characters, spaces, hyphens, and single quotes (apostrophes). With magic_quotes_gpc enabled, you must accommodate last names such as O\'Reilly or use stripslashes( ) in an attempt to restore the data. This unnecessary complexity (or relaxed filtering rules) increases the likelihood of a mistake, and a flaw in your input filtering is certain to create a security vulnerability. It does not use an escaping function native to your database. Therefore, it can hide the use of poor filtering or escaping logic when trivial or accidental attacks occur, leaving you vulnerable to more complex attacks such as those that target character sets.
|
