PHP Magic Quotes
From DreamHost
Contents |
Magic quotes (PHP configuration option magic_quotes_gpc) are a controversial feature of the PHP scripting language, intended to help prevent inexperienced developers from writing code which is vulnerable to SQL injection attacks.
Concept
The rationale behind magic quotes is to "help code written by beginners from being dangerous." Single quotes, double quotes, backslashes and null characters in all user-supplied data all have a backslash prepended to them before being passed to the script in the $_GET, $_POST and $_COOKIE global variables. Developers can then, in theory, use string concatenation safely to construct SQL queries with data provided by the user.
On DreamHost
New domains at DreamHost will run PHP as CGI, and the default PHP version is version 5 (though this could be changed).
PHP5 has Magic Quotes turned OFF by default, though that setting can be changed for use on your domain by installing your own version of PHP5 or modifying your own copy of php.ini (for use with a local copy of Dreamhost's default PHP installation).
If you have PHP 4 running as CGI, Magic Quotes are set ON, and you cannot turn Magic Quotes OFF with .htaccess, or with ini_set(). You can change the setting by installing your own version of PHP4 or modifying your own copy of php.ini (for use with a local copy of Dreamhost's default PHP installation)to change the setting.
If you must use PHP 4 and disable magic quotes, but do want want to attempt the previously described methods, this script from PureForm will filter out the magic quotes:
<?php
foreach($_REQUEST as $key => $value) {
$$key = ((is_array($value)) ? array_map("stripslashes",$value) : stripslashes($value));
}
?>
It's safe for array inputs as well as string inputs.
(Theoretically, the above code could be changed to use addslashes() instead of stripslashes() in order to provide equivalent functionality to magic quotes, though this has not been tested.)
Magic Quotes in Joomla!
Users installing the Joomla! Content Management System (CMS) on Dreamhost will find that later versions of Joomla! (version 1.0.11 and up), and the version of Joomla! installed via the DreamHost "one-click" installer, will report that the Magic Quotes GPC setting on DreamHost is "recommended" by the Joomla! team to be "ON' but is actually set to "OFF" on DreamHost.
Joomla! will run just fine with the default DreamHost setting, but if you are concerned about the "Security Warning" that is displayed, and would prefer to have Magic Quotes GPC set "ON" as recommended by the Joomla! development team, you can change this setting for use on your domain by installing your own version of PHP5, installing your own version of PHP4, or modifying your own copy of php.ini (for use with a local copy of DreamHost's default PHP installation) to change the setting.
