10

I'm totally aware of the aberration of Magic Quotes in PHP, how it is evil and I avoid them like pest, but what are magic_quotes_runtime? From php.ini:

Magic quotes for runtime-generated data, e.g. data from SQL, from exec(), etc.

Is is something I should check if ON and turn OFF with:

set_magic_quotes_runtime(false);

Is it often ON by default? I know it's deprecated in 5.3.0 and removed in 6.0.0 but since my script support 5.1.0+ I would like to know how to handle this in "legacy" PHP (if it's relevant).

Edit: To make things clear I want to exit('Turn OFF Magic Quotes'); when Magic quotes are ON. I'm not relying on them!

AlexV
  • 22,658
  • 18
  • 85
  • 122

3 Answers3

6

If magic_quotes_runtime is enabled, most functions that return data from any sort of external source including databases and text files will have quotes escaped with a backslash. If magic_quotes_sybase is also on, a single-quote is escaped with a single-quote instead of a backslash.

http://www.php.net/manual/en/info.configuration.php#ini.magic-quotes-runtime

grapefrukt
  • 27,016
  • 6
  • 49
  • 73
mck89
  • 18,918
  • 16
  • 89
  • 106
  • If the link contains the answer why not just writing the link? – mck89 Jan 22 '10 at 16:07
  • 8
    @mck89 Because it requires the user to hunt down the solution, and links may change, but text posted here won't. (-1 removed) – Sampson Jan 22 '10 at 16:12
  • 1
    Does magic_quotes_runtime @ ON is a nuisance? Should I turn em OFF when ON? Or even exit() the script with a message telling to turn em OFF? – AlexV Jan 22 '10 at 18:21
  • But why do you have to use them? It's deprecated so if you are writing code don't use it. Anyway if you must set magic_quotes_runtime set it to false because if you look at the link that i write on the top of the page there's the default value and it's false. – mck89 Jan 24 '10 at 11:17
  • I'm NOT using them. I want to know what to do if they are ON (stay them at ON, turn em OFF, exit() script with warning...). – AlexV Jan 25 '10 at 13:40
  • I don't know what do you want to do but i don't think that you must care about them, anyway if they can generate errors print the warning message or try to set them OFF with ini_set(). – mck89 Jan 25 '10 at 14:05
  • @mck89 because of some times pages will remove from the reference website, like [https://www.php.net/manual/en/function.set-magic-quotes-runtime.php](https://www.php.net/manual/en/function.set-magic-quotes-runtime.php) removed on OCT-2020 ! Why ? – a55 Dec 28 '20 at 09:34
0

You could use ini_get to check for it's value, like this:

ini_get('magic_quotes_runtime');

Also you should wrap calls to set_magic_quotes_runtime/get_magic_quotes_runtime in function_exists calls, like that:

if (function_exists('set_magic_quotes_runtime')) {
set_magic_quotes_runtime(true/false);
}

But of course, one should not rely on magic quotes at all and should have them disabled if possible. Se this link for a coule of reasons why: http://www.php.net/manual/en/security.magicquotes.whynot.php

AlexB
  • 726
  • 4
  • 13
0

If magic quotes are ON, php will automatically escape quotes coming in POST or GET variables and automatically un-escape them when pulling data out of a database for example.

If you use things like addslashes(), mysql_escape_string() or mysql_real_escape_string() with magic quotes on, you'll end up double-escaping quotes.

The reason it's evil is the same reason addslashes() and mysql_escape_string() are evil - because it doesn't capture every possible method of putting a quote in a string. It gives you a false sense of security in thinking that you don't have to worry about escaping quotes anymore when in reality you still do.

Also, as if escaping strings wasn't enough of a PITA already, now you have to check if magic quotes are on or off before you try to escape or un-escape a string to avoid double escaping.

Eric Petroelje
  • 59,820
  • 9
  • 127
  • 177
  • 1
    Not asking what "Magic Quotes" are I know that too well. What I'm asking is what are "magic_quotes_runtime"? What data is escaped by this setting? – AlexV Jan 22 '10 at 16:14
  • @AlexV - The two settings work in conjunction. the GPC one is for POST, GET and COOKIE data, the runtime one is for more-or-less everything else (files, mysql, etc). If your question is "what EXACTLY is 'everything else'?" then alexb has the answer in his link. – Eric Petroelje Jan 22 '10 at 16:21
  • It's mck89 link not alexb one :) – AlexV Jan 22 '10 at 18:24