Sunday, August 28, 2005
PHP Magic Quotes
PHP has a “feature” called Magic Quotes. Basically, if it’s on, all user data (GET, POST, cookies) is automatically escaped for use in a SQL query. This, in and of itself, is not too horrible, it just makes you have to explicitly un-escape instead of explicitly escape. I still think it’s a bad idea, because it’s designed to let you drop request variables directly into a SQL query without validation, which is still a bad idea, even if SQL injection isn’t possible.
But do you know what they did? They made it an option. That’s right. One PHP hosting service might have it on, and another might have it off, so you have to code for both cases. So you have to wrap getting request varibles into a helper function that checks for you at runtime and does whatever behavior you want.
This means that Magic Quotes actually makes it harder to do the right thing than if the feature didn’t exist! You have to go to extra work to make sure that your program works correctly in all cases.
On the other hand, if you don’t care about doing the Right Thing, PHP might just be for you.