Tuesday, September 8, 2009

PHP magic_quotes_gpc

SkyHi @ Tuesday, September 08, 2009
PhpSecInfo Test Information


Test Description

Determines if magic_quotes_gpc is enabled.
Security Implications

The magic quotes option was introduced to help protect developers from SQL injection attacks. It effectively executes addslashes() on all information received over GET, POST or COOKIE. Unfortunately this protection isn't perfect: there are a series of other characters that databases interpret as special not covered by this function. In addition, data not sent direct to databases must un-escaped before it can be used.


Because it's inconsistent and ineffective, it's not recommended that magic_quotes_gpc be enabled. Rely on input filtering done by your scripts.

You can disable magic_quotes_gpc in the php.ini file:

; Disable magic_quotes_gpc
magic_quotes_gpc = 'off'

The setting can also be disabled in apache's httpd.conf file, or an .htaccess file:

# Disable magic_quotes_gpc
php_flag magic_quotes_gpc off

things that should always be turned off in php.ini on a live system

Reference: http://phpsec.org/projects/phpsecinfo/tests/magic_quotes_gpc.html