Recently, I posted a bug to Hemlock's Bugzilla, asking for Magic
Quotes in PHP to be disabled:
having spoken with DaB., many interesting points were raised, and DaB.
asked me to send an e-mail to the list to ask other toolserver users
Magic Quotes is an infamous feature in PHP that, when enabled,
"automagically escapes incoming data to the PHP script."
(<http://www.php.net/magic_quotes>) That means if somebody types in
"Tom's chair", that automatically becomes "Tom\'s chair". It
the same thing to rogue commands in SQL injection attacks, so it's
meant to make PHP more secure. In this respect, it's a good feature to
have when there are programmers of all levels on the toolserver.
However, there are some problems with Magic Quotes:
* Not all programs need Magic Quotes. Programs that send e-mail
including incoming input, programs written with SQL injection attacks
in mind that already use addslashes, etc. do not need Magic Quotes and
suffer a performance overhead when slashes added by Magic Quotes need
to be removed.
* Programmers unaccustomed to SQL injection attacks who first start
off with PHP on the toolserver will learn to write unsafe code, and
make terrible mistakes when they go on to write code in other
languages that don't have something like Magic Quotes.
* Magic Quotes will be removed entirely (or at least disabled by
default) in the upcoming version of PHP, PHP 6. Programs currently
written with Magic Quotes in mind (or programs made by those unaware
of SQL injection) will become prime targets when PHP is upgraded in
the future. Magic Quotes currently provides a false sense of security.
I'd like to ask the toolserver community what it feels about this, and
whether it should be left enabled, or disabled.
(P.S. php_flag cannot be used to disable Magic Quotes on Hemlock, as
PHP runs as a CGI, not an Apache module.)