Results 1 to 8 of 8
  1. #1
    Join Date
    Mar 2006
    Location
    Johannesburg,South Africa
    Posts
    601

    Do you use, or allow PHP "magic_quotes"?

    Hi all,

    Some of our client's websites were hacked, or rather cracked, and defaced in the past few weeks. And while it's no fun to recover the website and attempt to secure them, I have run into a few "obstacles" on the cPanel server.

    We have updated all the software to the latest and applied a few extra security measures to the server. But from what I gather, the crackers used SQL injection, or other weak scripting methods to get into the websites. No server security was compromised. So, I though I would harden PHP even more, and noticed that magic_quotes is enabled.

    Apart from the fact that PHP 5.3 & PHP 6 won't support magic_quotes, what other reason would there be to still run it? The server is a shared hosting server with approx 400 accounts on it, running various scripts from Joomla! to SMF, to phpBB, vBulletin, WHMCS, Drupal, custom websites, OSCommerce, phplist, etc (most of the OSS scripts that can be installed from Fantastico or Softacoulus).


    Does anyone know of any problems I could run into if I disable magic_quotes altogether?
    South African Web Hosting - http://www.SoftDux.co.za || SA WebHostingTalk - http://www.webhostingtalk.co.za

  2. #2
    Join Date
    Feb 2006
    Location
    Kusadasi, Turkey
    Posts
    3,379
    magic_quotes is a security feature that doesn't break professional or well-written scripts, and it protects poorly written scripts. So I wouldn't disable it, because disabling doesn't serve a purpose.

    It doesn't matter if it will be removed from PHP soon, it's still something that protects your server from poor scripts.
    Fraud Record - Stop Fraud Clients, Report Abusive Customers.
    █ Combine your efforts to fight misbehaving clients.

    HarzemDesign - Highest quality, well designed and carefully coded hosting designs. Not cheap though.
    █ Large and awesome portfolio, just visit and see!

  3. #3
    Join Date
    Nov 2006
    Location
    search.php?do=getnew
    Posts
    1,241
    Harzem summed it up nicely. Disabling magic_quotes won't make your server more secure.
    http://www.rskeens.com
    A casual blog mainly about the web hosting industry

  4. #4
    Join Date
    Mar 2006
    Location
    Johannesburg,South Africa
    Posts
    601
    sure, but my question isn't ^really^ "how much more secure will the server be", but rather "how many sites / scripts will break if I disable it?

    We already use phpSuexec, suPHP, mod_security and PHPSuHosin.

    But, what I'm getting at is, Do I disable it now and move on (i.e. sort out / support / fix broken websites, or get the developers to code properly)), or do I wait for PHP 5.3 when it will be disabled in any-case and sit with the problems then?
    South African Web Hosting - http://www.SoftDux.co.za || SA WebHostingTalk - http://www.webhostingtalk.co.za

  5. #5
    Join Date
    Feb 2006
    Location
    Kusadasi, Turkey
    Posts
    3,379
    If you wait for 5.3, you will have a reason to tell to your clients. "Latest PHP removed the feature automatically" is better than "we removed it because we want"
    Fraud Record - Stop Fraud Clients, Report Abusive Customers.
    █ Combine your efforts to fight misbehaving clients.

    HarzemDesign - Highest quality, well designed and carefully coded hosting designs. Not cheap though.
    █ Large and awesome portfolio, just visit and see!

  6. #6
    Join Date
    Oct 2009
    Posts
    41
    How insecure ?
    The attacker (a real human or an automated bot) can modify the database of a poorly coded script. This can lead to the attacker having admin privileges and even having shell uploads in some situations.

  7. #7
    Join Date
    Mar 2009
    Posts
    2,222
    Quote Originally Posted by Harzem View Post
    If you wait for 5.3, you will have a reason to tell to your clients. "Latest PHP removed the feature automatically" is better than "we removed it because we want"
    Magic quotes is supported in PHP 5.3

    If the user has deprecated messages turned on, then if they use magic quotes they will get a message that their use is deprecated. The idea is that people will be alerted to their use of parts of the language that will not exist in the next version (PHP 6 in this case.)

    It seems to me that it can defeat the purpose of deprecated features if an installation disables support for them. The whole idea of having a state "deprecated" is to give people warnings in time to rework their programs in a controlled manner.

  8. #8
    Join Date
    Feb 2008
    Posts
    829
    I usually disable it to be consistent. I write my scripts to work without it as I don't like to depend on something that if disabled, could open up a security hole. In some (rare) cases you actually don't want stuff to be escaped anyway.

Similar Threads

  1. magic_quotes - the bane of my existance. PHP Help!
    By input in forum Programming Discussion
    Replies: 9
    Last Post: 02-16-2006, 11:38 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •