Criticism
Magic quotes were enabled by default in new installations of PHP 3 and 4, and since their operation was behind the scenes and not immediately obvious, developers may have been unaware of their existence and the potential problems that they could introduce. The PHP documentation pointed out several pitfalls and recommended that, despite being enabled by default, they should be disabled.
Problems with magic quotes included:
- Not all data that are supplied by the user are intended for insertion into a database. They may be rendered directly to the screen, stored in a session, or previewed before saving. This can result in backslashes being added where they are not wanted and being shown to the end user. This bug often creeps into even widely used software.
- Not all data that are supplied by the user and used in a database query are obtained directly from sources protected by magic quotes. For instance, a user-supplied value might be inserted into a database, protected by magic quotes, and later retrieved from the database and used in a subsequent database operation. The latter use is not protected by magic quotes, and a naive programmer used to relying on them may be unaware of the need to protect it explicitly.
- Magic quotes also use the generic functionality provided by PHP's
addslashesfunction, which is not Unicode-aware and is still subject to SQL injection vulnerabilities in some multi-byte character encodings. Database-specific functions such asmysql_real_escape_stringor, where possible, prepared queries with bound parameters, are preferred. - While many database management systems support escaping quotes with a backslash, the standard actually calls for using another quote. Magic quotes offer no protection for databases not set up to support escaping quotes with a backslash.
- Portability is an issue if an application is coded with the assumption that magic quotes are enabled and is then moved to a server where they are disabled, or vice versa.
- Adding magic quotes and subsequently removing them where appropriate incurs a small but unnecessary amount of performance overhead.
- Magic quotes do not protect against other common security vulnerabilities such as cross-site scripting attacks or SMTP header injection attacks.
In November 2005 the core PHP developers decided that because of these problems, the magic quotes feature would be removed from PHP 6.
Read more about this topic: Magic Quotes
Famous quotes containing the word criticism:
“However intense my experience, I am conscious of the presence and criticism of a part of me, which, as it were, is not a part of me, but a spectator, sharing no experience, but taking note of it, and that is no more I than it is you. When the play, it may be the tragedy, of life is over, the spectator goes his way. It was a kind of fiction, a work of the imagination only, so far as he was concerned.”
—Henry David Thoreau (18171862)
“The visual is sorely undervalued in modern scholarship. Art history has attained only a fraction of the conceptual sophistication of literary criticism.... Drunk with self-love, criticism has hugely overestimated the centrality of language to western culture. It has failed to see the electrifying sign language of images.”
—Camille Paglia (b. 1947)
“The critic lives at second hand. He writes about. The poem, the novel, or the play must be given to him; criticism exists by the grace of other mens genius. By virtue of style, criticism can itself become literature. But usually this occurs only when the writer is acting as critic of his own work or as outrider to his own poetics, when the criticism of Coleridge is work in progress or that of T.S. Eliot propaganda.”
—George Steiner (b. 1929)