Using get_magic_quotes_gpc with stripslashes is a bad practice for compatibility?

3

magic_quotes_gpc is obsolete since PHP5.3 and removed in PHP5.4, but can still be enabled in 5.3, I know that it is unlikely that a production server has such a configuration, but the doubt here is yet another case study.

I used to use something like:

<?php
function recursiveStripSlashes(&$data)
{
    if(empty($data)) {
        return $data;
    } elseif (is_array($data)) {
        foreach ($data as $key => &$value) {
            $data[$key] = recursiveStripSlashes($value);
        }
    } elseif (is_string($data)) {
        $data = stripslashes($data);
    }

    return $data;
}

if (function_exists('get_magic_quotes_gpc') && get_magic_quotes_gpc()) {
    recursiveStripSlashes($_POST);
    recursiveStripSlashes($_GET);
    recursiveStripSlashes($_COOKIE);
    recursiveStripSlashes($_REQUEST);
}

I know that it seems difficult to have servers like PHP5.3, but there are cases like this, I think maybe the preference is to guide the user of the script to disable, maybe it's better to just throw a Excpetion ? Something like:

if (function_exists('get_magic_quotes_gpc') && get_magic_quotes_gpc()) {
    throw new Exception('Desabilite o magic_quotes no php.ini');
}
    
asked by anonymous 10.01.2016 / 19:49

1 answer

3

The preferred one is to really inform the person using the script that there is a configuration problem, the reason is performance.

Imagine that the script is receiving a lot of data via $_POST (and even multidimensional), if you use stripslashes for each level of the vector in $_POST and you have too much data this can cause the script to take a long time to process and in some cases greatly increase memory consumption.

The Exception of the example can be an output, or even a custom message, however the important thing is always to turn off magic_quotes_gpc and if possible to upgrade PHP.

What is magic_quotes_gpc

  

Warning   This functionality has become OBSOLETE since PHP 5.3.0 and has been REMOVED from PHP 5.4.0.

When bound, any ' (single quotation mark), " (double quotation mark), \ (backslash), and NULL will be backslashed before ( ' turns \' ) automatically. This is identical to what the addslashes() function does.

Because we used magic_quotes_gpc

The function helped some beginners build better code in an attempt to be more secure. But when dealing with code that uses this feature it is better to update the code than to activate magic quotes. So, why does this exist? It was to help prevent SQL injection. Today's developers are more aware of security and end up using specific database mechanisms to escape and / or prepared commands rather than relying on things like magical quotes, for example:

Here are some tips on working with mySQL:

Why should not we use magic_quotes_gpc

  • Portability, because if magic_quotes_gpc is turned on or off this can affect the portability of the code, for example, new versions of PHP, starting at 5.4 even when calling php.ini magic_quotes_gpc you will not be able to use it since it has been removed.

  • Performance, when turned on it will escape all data from GET , POST , COOKIE and REQUEST and this can be a little costly to the server depending on the amount given, POST transports and also in case of multidimensional arrays (which is supported by GET and POST ).

  • It is inconvenient because not all places where we use the data need to be escaped and this may cause some problems, this will force you to make excessive use of stripslashes .

Disabling

If you are using PHP5.4 + you do not have to worry about disabling it since it has already been removed, however if you do not have the possibility to upgrade your server then you will have to edit the php.ini by editing the following flags like this:

; Magic quotes for incoming GET/POST/Cookie data.
magic_quotes_gpc=Off

; Magic quotes for runtime-generated data, e.g. data from SQL, from exec(), etc.
magic_quotes_runtime=Off

; Use Sybase-style magic quotes (escape ' with '' instead of \').
magic_quotes_sybase=Off

Documentation

10.01.2016 / 20:16