How to undo magic quotes using the Stanford Web Application Toolkit

From Web Services Wiki

Revision as of 18:47, 3 December 2008 by Mrmarco (Talk | contribs)
(diff) ←Older revision | Current revision (diff) | Newer revision→ (diff)
Jump to: navigation, search

Contents

Problem

Magic quotes is a now-deprecated PHP feature that will soon be disabled at Stanford. Its function is to automatically escape incoming data. Unfortunately, since magic_quotes can be turned on or off at will, and since different servers have different settings, an entire web application which relies on automatic string escaping can be made vulnerable to attacks when its environment changes. For this reason, if it is enabled, we must undo the damage caused by magic_quotes and escape strings ourselves just before they go into a database query.

Solution

The toolkit provides a method called undo_magic_quote that reverses the effects of magic quotes. There are two ways to invoke this function.

Calling the function manually

If you already have a StanfordApp object, simply call the function as follows:

// Undo magic quotes
$app->util->undo_magic_quotes();

If you'd like to use the function by itself without including StanfordApp, include StanfordUtil and call it directly.

// Include StanfordUtil
include_once("stanford.util.php");
 
// Undo magic quotes
StanfordUtil::undo_magic_quotes();

Using a configuration file

Change the undo magic quotes setting in your configuration file to yes. The function will automatically be called each time the configuration file is loaded.

Sample configuration file:

settings:
  undo magic quotes: yes

How to load the configuration:

// Include StanfordApp
include_once("stanford.app.php");
 
// Load configuration
$app = new StanfordApp("/path/to/config.yaml");
 
// At this point, magic quotes have been removed

Discussion

Why is magic quotes still enabled at Stanford?

Since many legacy applications rely on this directive, it cannot be disabled without introducing serious security holes in older websites. We strongly suggest manually escaping all strings in database queries for this reason.

When will magic quotes be disabled?

The feature has been deprecated and removed in the upcoming PHP 6.0.0.

Will I have to undo the undo magic quotes function when PHP 6.0.0 comes out?

You can, but it's not necessary. The toolkit first checks to make sure if magic quotes is turned on. If it's not, it doesn't do anything.

Personal tools