Difference between revisions of "Magic quotes and security"

Revision as of 19:09, 1 September 2013

This article is for Joomla! CMS Version(s)

This PHP feature has been depreciated as of PHP 5.3.0 (30-06-2009) and has been removed from php as of PHP 5.4.0.

Joomla! 3.0 and above requires magic_quotes_gpc to be set to off and will not install if magic_quotes_gpc is on.

Joomla! advises magic_quotes_gpc to be set to off when using Joomla 2.5.xx.

JRequest automatically takes into account the setting of magic_quotes_gpc and adjusts accordingly. If developers are using JRequest to request input then the actual value of the setting doesn't matter. If developers aren't using it then they will have to take the setting of magic_quotes_gpc into account (for this reason it is still common practice for developers to use JRequest in Joomla 2.5 - even though it is deprecated).

JInput does not take this into account, however due to Joomla 3.x and higher requiring that magic quotes are disabled - this is no longer a problem.

For more on PHP Manual, Chapter 31. Magic Quotes.

@@ Line 1: / Line 1: @@
-JRequest automatically takes into account the setting of ''magic_quotes_gpc'' and adjusts accordingly.  If developers are using JRequest to request input then the actual value of the setting doesn't matter.  If developers aren't using it then they will have to take the setting of magic_quotes_gpc into account.
+{{version|2.5,3.x}}
+'''''This PHP feature has been depreciated as of PHP 5.3.0 (30-06-2009) and has been removed from php as of PHP 5.4.0.'''''
-'''Magic Quotes Off''' there is an "increased" risk of SQL Injections due to poorly written
+: Joomla! 3.0 and above requires magic_quotes_gpc to be set to off and will not install if magic_quotes_gpc is on.
-queries not being safely escaped in extensions hence the general PHP and JTS recommendation
-that Magic Quotes be ON by default (although in the past PHP has left them
-disabled in the default distribution) for a more secure environment.
-This setting is now basically irrelevant (can be On or Off) due to the way that Joomla! has been written to overcome the problem of poorly written queries.
+: Joomla! advises magic_quotes_gpc to be set to off when using Joomla 2.5.xx.
-The setting is now deprecated and has actually been removed in later PHP releases anyway, hence developers of older PHP applications will need to complete a code review for compliance, and
+JRequest automatically takes into account the setting of ''magic_quotes_gpc'' and adjusts accordingly.  If developers are using JRequest to request input then the actual value of the setting doesn't matter.  If developers aren't using it then they will have to take the setting of magic_quotes_gpc into account (for this reason it is still common practice for developers to use JRequest in Joomla 2.5 - even though it is deprecated).
-safety, of which has already been completed by Joomla! quite some time ago and the issue was resolved with JRequest.
-In the past, there has been much discussion regarding the performance implications of this setting, in general from my testing and experience, it was negligible at worst and unnoticed at best, unless the queries were very very large,  but on the whole the trade-off of improved security against
+JInput does not take this into account, however due to Joomla 3.x and higher requiring that magic quotes are disabled - this is no longer a problem.
-SQL Injections far outweighs any discussions surrounding performance.
-For more on [http://php.net/magic_quotes magic quotes]
+For more on [http://php.net/magic_quotes PHP Manual, Chapter 31. Magic Quotes.]
-Edited from a discussion on Joomla CMS development Mailing list between A Eddie, R Winter and C Mandville
 <!-- KEEP THIS AT THE END OF THE PAGE -->
 [[Category:Security Checklist]]

Difference between revisions of "Magic quotes and security"

From Joomla! Documentation

Revision as of 19:09, 1 September 2013