Magic quotes and security: Difference between revisions

Revision as of 14:52, 10 March 2015

This article is for Joomla! CMS Version(s)

Magic Quotes was a PHP feature, enabled using the magic_quotes_gpc setting, that escaped (in a very limited way) most of the input data accessible to PHP scripts. It has been removed from PHP for a variety of reasons. For more on Magic Quotes, see PHP Manual, Chapter 31. Magic Quotes.

This PHP feature has been deprecated as of PHP 5.3.0 (30-06-2009) and has been removed from PHP as of PHP 5.4.0.

Joomla! 3.0 and above requires magic_quotes_gpc to be set to off and will not install if magic_quotes_gpc is on.

Joomla! 2.5 advises magic_quotes_gpc to be set to off.

JRequest automatically takes into account the setting of magic_quotes_gpc and adjusts accordingly. If developers are using JRequest to request input then the actual value of the setting doesn't matter. If developers aren't using it then they will have to take the setting of magic_quotes_gpc into account (for this reason it is still common practice for developers to use JRequest in Joomla 2.5 - even though it is deprecated).

JInput does not take this into account. However, due to Joomla 3.x and higher requiring that magic quotes are disabled, this is no longer a problem.

@@ Line 1: / Line 1: @@
 {{version|2.5,3.x}}
-'''''This PHP feature has been depreciated as of PHP 5.3.0 (30-06-2009) and has been removed from php as of PHP 5.4.0.'''''
-: Joomla! 3.0 and above requires magic_quotes_gpc to be set to off and will not install if magic_quotes_gpc is on.
+'''Magic Quotes''' was a PHP feature, enabled using the <code>magic_quotes_gpc</code> setting, that escaped (in a very limited way) most of the input data accessible to PHP scripts. It has been removed from PHP for [http://php.net/manual/en/security.magicquotes.whynot.php a variety of reasons]. For more on Magic Quotes, see [http://php.net/magic_quotes PHP Manual, Chapter 31. Magic Quotes].
-: Joomla! advises magic_quotes_gpc to be set to off when using Joomla 2.5.xx.
+'''''This PHP feature has been deprecated as of PHP 5.3.0 (30-06-2009) and has been removed from PHP as of PHP 5.4.0.'''''
-JRequest automatically takes into account the setting of ''magic_quotes_gpc'' and adjusts accordingly.  If developers are using JRequest to request input then the actual value of the setting doesn't matter.  If developers aren't using it then they will have to take the setting of magic_quotes_gpc into account (for this reason it is still common practice for developers to use JRequest in Joomla 2.5 - even though it is deprecated).
+: {{JVer|3.x}} Joomla! 3.0 and above requires <code>magic_quotes_gpc</code> to be set to '''off''' and will not install if <code>magic_quotes_gpc</code> is on.
+: {{JVer|2.5}} Joomla! 2.5 advises <code>magic_quotes_gpc</code> to be set to '''off'''.
-JInput does not take this into account, however due to Joomla 3.x and higher requiring that magic quotes are disabled - this is no longer a problem.
+JRequest automatically takes into account the setting of <code>magic_quotes_gpc</code> and adjusts accordingly.  If developers are using JRequest to request input then the actual value of the setting doesn't matter.  If developers aren't using it then they will have to take the setting of <code>magic_quotes_gpc</code> into account (for this reason it is still common practice for developers to use JRequest in Joomla 2.5 - even though it is deprecated).
-For more on [http://php.net/magic_quotes PHP Manual, Chapter 31. Magic Quotes.]
+JInput does not take this into account. However, due to Joomla 3.x and higher requiring that magic quotes are disabled, this is no longer a problem.
 <!-- KEEP THIS AT THE END OF THE PAGE -->
 [[Category:Security Checklist]]

Magic quotes and security: Difference between revisions

From Joomla! Documentation

Revision as of 14:52, 10 March 2015