Recently, I posted a bug to Hemlock's Bugzilla, asking for Magic Quotes in PHP to be disabled: http://tools.wikimedia.de/cgi-bin/bugzilla/show_bug.cgi?id=94. After having spoken with DaB., many interesting points were raised, and DaB. asked me to send an e-mail to the list to ask other toolserver users their opinion.
Magic Quotes is an infamous feature in PHP that, when enabled, "automagically escapes incoming data to the PHP script." (http://www.php.net/magic_quotes) That means if somebody types in "Tom's chair", that automatically becomes "Tom's chair". It also does the same thing to rogue commands in SQL injection attacks, so it's meant to make PHP more secure. In this respect, it's a good feature to have when there are programmers of all levels on the toolserver.
However, there are some problems with Magic Quotes:
* Not all programs need Magic Quotes. Programs that send e-mail including incoming input, programs written with SQL injection attacks in mind that already use addslashes, etc. do not need Magic Quotes and suffer a performance overhead when slashes added by Magic Quotes need to be removed. * Programmers unaccustomed to SQL injection attacks who first start off with PHP on the toolserver will learn to write unsafe code, and make terrible mistakes when they go on to write code in other languages that don't have something like Magic Quotes. * Magic Quotes will be removed entirely (or at least disabled by default) in the upcoming version of PHP, PHP 6. Programs currently written with Magic Quotes in mind (or programs made by those unaware of SQL injection) will become prime targets when PHP is upgraded in the future. Magic Quotes currently provides a false sense of security.
I'd like to ask the toolserver community what it feels about this, and whether it should be left enabled, or disabled.
Cheers,
Tangotango
(P.S. php_flag cannot be used to disable Magic Quotes on Hemlock, as PHP runs as a CGI, not an Apache module.)