Magic quotes and security

From Joomla! Documentation

Revision as of 22:09, 15 March 2010 by Mandville (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

JRequest automatically takes into account the setting of magic_quotes_gpc and adjusts accordingly. If developers are using JRequest to request input then the actual value of the setting doesn't matter. If developers aren't using it then they will have to take the setting of magic_quotes_gpc into account.

Magic Quotes Off there is an "increased" risk of SQL Injections due to poorly written queries not being safely escaped in extensions hence the general PHP and JTS recommendation that Magic Quotes be ON by default (although in the past PHP has left them disabled in the default distribution) for a more secure environment.

This setting is now basically irrelevant (can be On or Off) due to the way that Joomla! has been written to overcome the problem of poorly written queries.

The setting is now depreciated and has actually been removed in later PHP releases anyway, hence developers of older PHP applications will need to complete a code review for compliance, and safety, of which has already been completed by Joomla! quite some time ago and the issue was resolved with JRequest.

In the past, there has been much discussion regarding the performance implications of this setting, in general from my testing and experience, it was negligible at worst and unnoticed at best, unless the queries were very very large, but on the whole the trade-off of improved security against SQL Injections far out ways any discussions surrounding performance.

For more on magic quotes

Edited from a discussion on Joomla CMS development Mailing list between A Eddie, R Winter and C Mandville