...

View Full Version : Magic quotes | Joomla instal | PHP disable



SeattleMicah
01-26-2012, 07:04 AM
Hey everyone, I am trying to disable magic quotes...

before I do though can we talk about what it means.

I found this http://www.php.net/manual/en/security.magicquotes.what.php

but laymen terms would be cool for a front end guy. Also from there which disable choice should I choose? http://www.php.net/manual/en/security.magicquotes.disabling.php

The reason I am here is to start this Joomla install.

http://img268.imageshack.us/img268/949/magicqutoes.png (http://imageshack.us/photo/my-images/268/magicqutoes.png/)

thanks

Inigoesdr
01-26-2012, 06:48 PM
Hey everyone, I am trying to disable magic quotes...

before I do though can we talk about what it means.

I found this http://www.php.net/manual/en/security.magicquotes.what.php

but laymen terms would be cool for a front end guy. Also from there which disable choice should I choose?
The manual page you linked is pretty laymen in the description. Just to expand on that some more, any GPC(GET, POST, COOKIE) data will get escaped automatically when magic_quotes_gpc is on. This is to prevent poor code from allowing SQL injection, and a few other issues. For example, if you don't escape user input:

mysql_query('INSERT INTO `users` (`id`, `username`) VALUES(NULL, \'' . $_POST['username'] . '\')');
Someone could post a username like "user'); DROP TABLE `users`;--" and wipe out your table. Magic Quotes was intended to prevent such issues, but it causes issues with code that escapes data properly because the data gets escaped twice. So, it's recommended to disable it and don't depend on it because it's deprecated and will be removed in upcoming PHP releases. As to which option you should use to disable it: go for Example 1 if possible. Either of the options for example 1 will disable it at the server level, and that is ideal. Example 2 doesn't disable it; it simply undoes the escaping and that won't change the Joomla flag to off. Joomla might do something similar to example 2 automatically, but I can't confirm that.

SeattleMicah
01-26-2012, 07:29 PM
Thank you for the info. I don't 100% understand what your saying but im diving in head first to the server side stuff so just trying to cover my bases.

Scripting attacks like that will have to be learned the hard way, fortunately its just for my practice.



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum