Change default php.ini to magic_quotes_gpc = Off

[Alan B]

Perhaps WHB staff could address this.

PHP configuration on WHB servers has magic_quotes_gpc = On.
Is that a cPanel default, or is that something that WHB chooses?

If it's a choice, could WHB make the default magic_quotes_gpc = Off ?

From the PHP manual, and PHP Wiki:

Why not to use Magic Quotes

Performance
Because not every piece of escaped data is inserted into a database, there is a performance loss for escaping all this data. Simply calling on the escaping functions (like addslashes()) at runtime is more efficient. Although php.ini-dist enables these directives by default, php.ini-recommended disables it. This recommendation is mainly due to performance reasons.

Inconvenience
Because not all data needs escaping, it's often annoying to see escaped data where it shouldn't be. For example, emailing from a form, and seeing a bunch of \' within the email. To fix, this may require excessive use of stripslashes().

Not all data that is supplied by the user is intended for insertion into a database. It may be rendered directly to the screen, stored in a session, or previewed before saving. This can result in backslashes being added where they are not wanted and being shown to the end user.

Security
Magic quotes also use the generic functionality provided by PHP's addslashes() function, which is not Unicode aware and still subject to SQL injection vulnerabilities in some multi-byte character encodings.

Removed from future versions, due to problems
In November 2005 the core PHP developers decided on account of these problems that the magic quotes feature would be removed from PHP 6.

[Alan B]

any response to this from WHB?

[Alan B]

bump
. .

[amclay]

any response to this from WHB?

Given that I believe the feature will be unavailable with PHP 6.x, I'm not this is a pressing issue with WHB. That given, I haven't seen Magic Quotes in quite some time, and there's no reason to not turn them off by default.

You can turn them off using .htaccess with:

php_flag magic_quotes_gpc Off

http://us3.php.net/manual/en/securit....disabling.php

Some people use a few scripts that rely on Magic Quotes such as the one described here:

http://us3.php.net/manual/en/function.parse-str.php

It may be that they want to have legacy support, and just let the PHP upgrade take care of it.

[Alan B]

You can turn them off using .htaccess with:

php_flag magic_quotes_gpc Off

No, that is not correct. These servers use SuPHP, so PHP overrides can be made only in php.ini.

Some people use a few scripts that rely on Magic Quotes such as the one described here:
It may be that they want to have legacy support, and just let the PHP upgrade take care of it.

It's better to default to a safer state, with magic_quotes_gpc off. The few users who require them on for a specific script can use a local override. It's better to have the entire server safer, and have users make just their own account less safe if necessary.

[amclay]

No, that is not correct. These servers use SuPHP, so PHP overrides can be made only in php.ini.

It's better to default to a safer state, with magic_quotes_gpc off. The few users who require them on for a specific script can use a local override. It's better to have the entire server safer, and have users make just their own account less safe if necessary.

Thanks for the info. I'm not particularly "in-tune" with WHB servers. I agree that they should change it.

The development snapshot of PHP6 is about a year old now, that should fix the problem. I'd also like to hear from WHB about why they have not turned it off (people writing insecure PHP I suspect). Even though it's pseudo-security, there's a lot of people who have absolutely no idea how to sanitize input correctly.

Edit: Doesn't magic quotes increase security, and not decrease security? I was only aware of the performance hits it created.

[genrock]

I agree that they should change it. I mean it just makes sense at this point. I wonder what WHB has to say about this?