Actions

Difference between revisions of "Magic quotes and security"

From Joomla! Documentation

(added information for J!3.0 and notice of MQ)
(Remove stuff about magic quotes being good ...........)
Line 1: Line 1:
{{incomplete|needs updating|JInput requires magic quotes being turned off and there are issues with this in Joomla 2.5. Article needs to be updated to reflect this}}
 
 
 
'''''This PHP feature has been depreciated as of PHP 5.3.0 (30-06-2009) and has been removed from php as of PHP 5.4.0.'''''
 
'''''This PHP feature has been depreciated as of PHP 5.3.0 (30-06-2009) and has been removed from php as of PHP 5.4.0.'''''
  
Line 7: Line 5:
 
: Joomla! advises magic_quotes_gpc to be set to off when using Joomla 2.5.xx.
 
: Joomla! advises magic_quotes_gpc to be set to off when using Joomla 2.5.xx.
  
JRequest automatically takes into account the setting of ''magic_quotes_gpc'' and adjusts accordingly.  If developers are using JRequest to request input then the actual value of the setting doesn't matter.  If developers aren't using it then they will have to take the setting of magic_quotes_gpc into account.
+
JRequest automatically takes into account the setting of ''magic_quotes_gpc'' and adjusts accordingly.  If developers are using JRequest to request input then the actual value of the setting doesn't matter.  If developers aren't using it then they will have to take the setting of magic_quotes_gpc into account (for this reason it is still common practice for developers to use JRequest in Joomla 2.5 - even though it is deprecated).
  
'''Magic Quotes Off''' there is an "increased" risk of SQL Injections due to poorly written
+
JInput does not take this into account, however due to Joomla 3.x and higher requiring that magic quotes are disabled - this is no longer a problem.
queries not being safely escaped in extensions hence the general PHP and JTS recommendation
+
that Magic Quotes be ON by default (although in the past PHP has left them
+
disabled in the default distribution) for a more secure environment.
+
 
+
This setting is now basically irrelevant (can be On or Off) due to the way that Joomla! has been written to overcome the problem of poorly written queries.
+
 
+
The setting is now deprecated and has actually been removed in later PHP releases anyway, hence developers of older PHP applications will need to complete a code review for compliance, and
+
safety, of which has already been completed by Joomla! quite some time ago and the issue was resolved with JRequest.
+
 
+
In the past, there has been much discussion regarding the performance implications of this setting, in general from my testing and experience, it was negligible at worst and unnoticed at best, unless the queries were very very large,  but on the whole the trade-off of improved security against
+
SQL Injections far outweighs any discussions surrounding performance.
+
  
 
For more on [http://php.net/magic_quotes PHP Manual, Chapter 31. Magic Quotes.]
 
For more on [http://php.net/magic_quotes PHP Manual, Chapter 31. Magic Quotes.]
  
 
Edited from a discussion on Joomla CMS development Mailing list between A Eddie, R Winter and C Mandville
 
  
 
<!-- KEEP THIS AT THE END OF THE PAGE -->
 
<!-- KEEP THIS AT THE END OF THE PAGE -->
 
[[Category:Security Checklist]]
 
[[Category:Security Checklist]]

Revision as of 19:09, 1 September 2013

This PHP feature has been depreciated as of PHP 5.3.0 (30-06-2009) and has been removed from php as of PHP 5.4.0.

Joomla! 3.0 and above requires magic_quotes_gpc to be set to off and will not install if magic_quotes_gpc is on.
Joomla! advises magic_quotes_gpc to be set to off when using Joomla 2.5.xx.

JRequest automatically takes into account the setting of magic_quotes_gpc and adjusts accordingly. If developers are using JRequest to request input then the actual value of the setting doesn't matter. If developers aren't using it then they will have to take the setting of magic_quotes_gpc into account (for this reason it is still common practice for developers to use JRequest in Joomla 2.5 - even though it is deprecated).

JInput does not take this into account, however due to Joomla 3.x and higher requiring that magic quotes are disabled - this is no longer a problem.

For more on PHP Manual, Chapter 31. Magic Quotes.