60

I am encountered with the situation where one of my old code is using get_magic_quotes_gpc() which is deprecated in the latest PHP version 7.4.*

Currently, I have something like this.

Add Slashes

return get_magic_quotes_gpc() ? addslashes($string) : $string;

Remove Slashes

return get_magic_quotes_gpc() ? stripslashes($string) : $string;

Which is obviously giving error

Deprecated: Function get_magic_quotes_gpc() is deprecated

Question:

How can I fix it? So can work the same without using get_magic_quotes_gpc() function?

Phil
  • 157,677
  • 23
  • 242
  • 245
Code Lover
  • 8,099
  • 20
  • 84
  • 154
  • 21
    Since PHP no longer adds slashes to request parameters ([removed in PHP 5.4](https://www.php.net/manual/en/security.magicquotes.what.php)), `get_magic_quotes_gpc()` **always** returns `false`. With that in mind, you don't have to do anything to your strings, they should always be clean. – Phil Apr 06 '20 at 06:58
  • 1
    I also can't think of any valid reasons to ever use `addslashes()`. I can't tell why you would have code like your first snippet, even prior to PHP 5.4 – Phil Apr 06 '20 at 06:59
  • @Phil Do you mean PHP handle itself all such vulnerable injection? – Code Lover Apr 06 '20 at 07:04
  • 3
    No, quite the opposite. PHP now no longer gets in the way of developers and leaves securing your app up to you – Phil Apr 06 '20 at 07:05
  • I see, so could you please suggest me any way to secure it? – Code Lover Apr 06 '20 at 07:12
  • 7
    Secure what and against what vulnerabilities? Your question shows no uses of this code. If you were relying on this code to sanitise SQL query parameters, use prepared statements instead. – Phil Apr 06 '20 at 07:18
  • I see, got it. Thanks a lot @Phil I appreciate it. – Code Lover Apr 06 '20 at 07:20
  • `get_magic_quotes_gpc()` together with `addslashes()` makes no sense. – Dharman Apr 16 '20 at 21:23

2 Answers2

103

You need to remove every mention of this function from your code and do not replace it with anything else.

get_magic_quotes_gpc() has been useless ever since PHP 5.4.0. It would tell you whether you have magic quotes switched on in the configuration or not. Magic quotes were a terrible idea and this feature was removed for security reasons (PHP developers believed in magic & superstitions and wrote unsecure code).

Most likely even you yourself do not know why you had this line of code in your project. I know I was fooled by it when I was learning PHP. The reality is you do not need it at all. This function has nothing to do with security and the concept of input sanitization is preposterous.

Instead, rely on good security guidelines.

  • Use parameterized prepared statements for interactions with the database. PHP has a very good library called PDO, which can be used with many DB drivers including MySQL.
  • If you produce output, then escape the output taking into consideration the rules of that medium. For example when outputting to HTML use htmlspecialchars() to prevent XSS.
  • Never sanitize input. There is no magical solution that would protect you against everything. Instead, you as a developer must be aware of dangers and you need to know how to protect your code. Don’t try to sanitize input. Escape output.
Dharman
  • 30,962
  • 25
  • 85
  • 135
  • 9
    I disagree to your blanket statement that (all) input sanitation would be unecessary or even preposterous. Instead you need to know what kind of input you can safely handle, and ensure that input matches that. I do agree though that it's a misconception to think once it was sanitized once, it's safe for every further use. FYI get_magic_quotes was a requirement for safe and sane code in the times when magic could just happen to your script. Prepared statements are better, but it should also still look nice, shouldn\'t it? ;) – Zefiro Mar 14 '21 at 19:49
  • @Zefiro Aren't you thinking of input validation? You validate the input you receive to make sure that it is what the application expects, but that has nothing to do with security. – Dharman Mar 14 '21 at 19:52
  • 2
    You're right, I did. Though I don't really see a difference here. In case of magic quotes, it was "getting the input in a known state for further processing", i.e. you know whether escaping slashes had been added or not automagically. (and in the times before Prepared Statements that was at least related to security) – Zefiro Mar 14 '21 at 20:25
9

Replace get_magic_quotes_gpc() with false.

Then simplify complex expressions by removing the unreachable branches. E.g.

return get_magic_quotes_gpc() ? addslashes($string) : $string;

becomes simply

return $string;
MarkusK
  • 103
  • 1
  • 5