Actions

Difference between revisions of "Magic quotes and security"

From Joomla! Documentation

(New page: JRequest automatically takes into account the setting of ''magic_quotes_gpc'' and adjusts accordingly. If developers are using JRequest to request input then the actual value of the setti...)
 
(added information for J!3.0 and notice of MQ)
(7 intermediate revisions by 7 users not shown)
Line 1: Line 1:
 +
{{incomplete|needs updating|JInput requires magic quotes being turned off and there are issues with this in Joomla 2.5. Article needs to be updated to reflect this}}
 +
 +
'''''This PHP feature has been depreciated as of PHP 5.3.0 (30-06-2009) and has been removed from php as of PHP 5.4.0.'''''
 +
 +
: Joomla! 3.0 and above requires magic_quotes_gpc to be set to off and will not install if magic_quotes_gpc is on.
 +
 +
: Joomla! advises magic_quotes_gpc to be set to off when using Joomla 2.5.xx.
 +
 
JRequest automatically takes into account the setting of ''magic_quotes_gpc'' and adjusts accordingly.  If developers are using JRequest to request input then the actual value of the setting doesn't matter.  If developers aren't using it then they will have to take the setting of magic_quotes_gpc into account.
 
JRequest automatically takes into account the setting of ''magic_quotes_gpc'' and adjusts accordingly.  If developers are using JRequest to request input then the actual value of the setting doesn't matter.  If developers aren't using it then they will have to take the setting of magic_quotes_gpc into account.
  
Line 8: Line 16:
 
This setting is now basically irrelevant (can be On or Off) due to the way that Joomla! has been written to overcome the problem of poorly written queries.
 
This setting is now basically irrelevant (can be On or Off) due to the way that Joomla! has been written to overcome the problem of poorly written queries.
  
The setting is now depreciated and has actually been removed in later PHP releases anyway, hence developers of older PHP applications will need to complete a code review for compliance, and
+
The setting is now deprecated and has actually been removed in later PHP releases anyway, hence developers of older PHP applications will need to complete a code review for compliance, and
 
safety, of which has already been completed by Joomla! quite some time ago and the issue was resolved with JRequest.
 
safety, of which has already been completed by Joomla! quite some time ago and the issue was resolved with JRequest.
  
 
In the past, there has been much discussion regarding the performance implications of this setting, in general from my testing and experience, it was negligible at worst and unnoticed at best, unless the queries were very very large,  but on the whole the trade-off of improved security against
 
In the past, there has been much discussion regarding the performance implications of this setting, in general from my testing and experience, it was negligible at worst and unnoticed at best, unless the queries were very very large,  but on the whole the trade-off of improved security against
SQL Injections far out ways any discussions surrounding performance.
+
SQL Injections far outweighs any discussions surrounding performance.
  
For more on [http://us3.php.net/magic_quotes magic quotes]
+
For more on [http://php.net/magic_quotes PHP Manual, Chapter 31. Magic Quotes.]
  
  
 
Edited from a discussion on Joomla CMS development Mailing list between A Eddie, R Winter and C Mandville
 
Edited from a discussion on Joomla CMS development Mailing list between A Eddie, R Winter and C Mandville
 +
 +
<!-- KEEP THIS AT THE END OF THE PAGE -->
 +
[[Category:Security Checklist]]

Revision as of 14:56, 19 February 2013

Quill icon.png
Content is Incomplete

This article or section is incomplete, which means it may be lacking information. You are welcome to assist in its completion by editing it as well. If this article or section has not been edited in several days, please consider helping complete the content.
This article was last edited by Phild (talk| contribs) 17 months ago. (Purge)


This PHP feature has been depreciated as of PHP 5.3.0 (30-06-2009) and has been removed from php as of PHP 5.4.0.

Joomla! 3.0 and above requires magic_quotes_gpc to be set to off and will not install if magic_quotes_gpc is on.
Joomla! advises magic_quotes_gpc to be set to off when using Joomla 2.5.xx.

JRequest automatically takes into account the setting of magic_quotes_gpc and adjusts accordingly. If developers are using JRequest to request input then the actual value of the setting doesn't matter. If developers aren't using it then they will have to take the setting of magic_quotes_gpc into account.

Magic Quotes Off there is an "increased" risk of SQL Injections due to poorly written queries not being safely escaped in extensions hence the general PHP and JTS recommendation that Magic Quotes be ON by default (although in the past PHP has left them disabled in the default distribution) for a more secure environment.

This setting is now basically irrelevant (can be On or Off) due to the way that Joomla! has been written to overcome the problem of poorly written queries.

The setting is now deprecated and has actually been removed in later PHP releases anyway, hence developers of older PHP applications will need to complete a code review for compliance, and safety, of which has already been completed by Joomla! quite some time ago and the issue was resolved with JRequest.

In the past, there has been much discussion regarding the performance implications of this setting, in general from my testing and experience, it was negligible at worst and unnoticed at best, unless the queries were very very large, but on the whole the trade-off of improved security against SQL Injections far outweighs any discussions surrounding performance.

For more on PHP Manual, Chapter 31. Magic Quotes.


Edited from a discussion on Joomla CMS development Mailing list between A Eddie, R Winter and C Mandville