Do you use, or allow PHP "magic_quotes"?

Portal Home > Knowledgebase > Articles Database > Do you use, or allow PHP "magic_quotes"?

Posted by SoftDux, 10-11-2009, 02:55 PM
Hi all, Some of our client's websites were hacked, or rather cracked, and defaced in the past few weeks. And while it's no fun to recover the website and attempt to secure them, I have run into a few "obstacles" on the cPanel server. We have updated all the software to the latest and applied a few extra security measures to the server. But from what I gather, the crackers used SQL injection, or other weak scripting methods to get into the websites. No server security was compromised. So, I though I would harden PHP even more, and noticed that magic_quotes is enabled. Apart from the fact that PHP 5.3 & PHP 6 won't support magic_quotes, what other reason would there be to still run it? The server is a shared hosting server with approx 400 accounts on it, running various scripts from Joomla! to SMF, to phpBB, vBulletin, WHMCS, Drupal, custom websites, OSCommerce, phplist, etc (most of the OSS scripts that can be installed from Fantastico or Softacoulus). Does anyone know of any problems I could run into if I disable magic_quotes altogether?
Posted by Harzem, 10-11-2009, 03:23 PM
magic_quotes is a security feature that doesn't break professional or well-written scripts, and it protects poorly written scripts. So I wouldn't disable it, because disabling doesn't serve a purpose. It doesn't matter if it will be removed from PHP soon, it's still something that protects your server from poor scripts.
Posted by RSkeens, 10-11-2009, 04:32 PM
Harzem summed it up nicely. Disabling magic_quotes won't make your server more secure.
Posted by SoftDux, 10-11-2009, 06:24 PM
sure, but my question isn't ^really^ "how much more secure will the server be", but rather "how many sites / scripts will break if I disable it? We already use phpSuexec, suPHP, mod_security and PHPSuHosin. But, what I'm getting at is, Do I disable it now and move on (i.e. sort out / support / fix broken websites, or get the developers to code properly)), or do I wait for PHP 5.3 when it will be disabled in any-case and sit with the problems then?
Posted by Harzem, 10-12-2009, 04:08 AM
If you wait for 5.3, you will have a reason to tell to your clients. "Latest PHP removed the feature automatically" is better than "we removed it because we want"
Posted by CookedNoodles, 10-12-2009, 04:20 AM
How insecure ? The attacker (a real human or an automated bot) can modify the database of a poorly coded script. This can lead to the attacker having admin privileges and even having shell uploads in some situations.
Posted by tim2718281, 10-12-2009, 10:01 PM
Magic quotes is supported in PHP 5.3 If the user has deprecated messages turned on, then if they use magic quotes they will get a message that their use is deprecated. The idea is that people will be alerted to their use of parts of the language that will not exist in the next version (PHP 6 in this case.) It seems to me that it can defeat the purpose of deprecated features if an installation disables support for them. The whole idea of having a state "deprecated" is to give people warnings in time to rework their programs in a controlled manner.
Posted by Red Squirrel, 10-12-2009, 10:11 PM
I usually disable it to be consistent. I write my scripts to work without it as I don't like to depend on something that if disabled, could open up a security hole. In some (rare) cases you actually don't want stuff to be escaped anyway.

Add to Favourites Print this Article