I'm totally aware of the aberration of Magic Quotes in PHP, how it is evil and I avoid them like pest, but what are magic_quotes_runtime
? From php.ini:
Magic quotes for runtime-generated
data, e.g. data from SQL, from exec(),
etc.
Is is something I should check if ON and turn OFF with:
set_magic_quotes_runtime(false);
Is it often ON by default? I know it's deprecated in 5.3.0 and removed in 6.0.0 but since my script support 5.1.0+ I would like to know how to handle this in "legacy" PHP (if it's relevant).
Edit: To make things clear I want to exit('Turn OFF Magic Quotes'); when Magic quotes are ON. I'm not relying on them!
If magic_quotes_runtime is enabled, most functions that return data from any sort of external source including databases and text files will have quotes escaped with a backslash. If magic_quotes_sybase is also on, a single-quote is escaped with a single-quote instead of a backslash.
http://www.php.net/manual/en/info.configuration.php#ini.magic-quotes-runtime
If magic quotes are ON, php will automatically escape quotes coming in POST or GET variables and automatically un-escape them when pulling data out of a database for example.
If you use things like addslashes(), mysql_escape_string() or mysql_real_escape_string() with magic quotes on, you'll end up double-escaping quotes.
The reason it's evil is the same reason addslashes() and mysql_escape_string() are evil - because it doesn't capture every possible method of putting a quote in a string. It gives you a false sense of security in thinking that you don't have to worry about escaping quotes anymore when in reality you still do.
Also, as if escaping strings wasn't enough of a PITA already, now you have to check if magic quotes are on or off before you try to escape or un-escape a string to avoid double escaping.
You could use ini_get to check for it's value, like this:
ini_get('magic_quotes_runtime');
Also you should wrap calls to set_magic_quotes_runtime/get_magic_quotes_runtime in function_exists calls, like that:
if (function_exists('set_magic_quotes_runtime')) {
set_magic_quotes_runtime(true/false);
}
But of course, one should not rely on magic quotes at all and should have them disabled if possible. Se this link for a coule of reasons why: http://www.php.net/manual/en/security.magicquotes.whynot.php