PHP 7.4 deprecated get_magic_quotes_gpc function alternative

php deprecated php-7.4
86,873

You need to remove every mention of this function from your code and do not replace it with anything else.

get_magic_quotes_gpc() has been useless ever since PHP 5.4.0. It would tell you whether you have magic quotes switched on in the configuration or not. Magic quotes were a terrible idea and this feature was removed for security reasons (PHP developers believed in magic & superstitions and wrote unsecure code).

Most likely even you yourself do not know why you had this line of code in your project. I know I was fooled by it when I was learning PHP. The reality is you do not need it at all. This function has nothing to do with security and the concept of input sanitization is preposterous.

Instead, rely on good security guidelines.

  • Use parameterized prepared statements for interactions with the database. PHP has a very good library called PDO, which can be used with many DB drivers including MySQL.
  • If you produce output, then escape the output taking into consideration the rules of that medium. For example when outputting to HTML use htmlspecialchars() to prevent XSS.
  • Never sanitize input. There is no magical solution that would protect you against everything. Instead, you as a developer must be aware of dangers and you need to know how to protect your code. Don’t try to sanitize input. Escape output.
Share:
86,873
Code Lover
Author by

Code Lover

Updated on January 27, 2022

Comments

  • Code Lover
    Code Lover over 2 years

    I am encountered with the situation where one of my old code is using get_magic_quotes_gpc() which is deprecated in the latest PHP version 7.4.*

    Currently, I have something like this.

    Add Slashes

    return get_magic_quotes_gpc() ? addslashes($string) : $string;

    Remove Slashes

    return get_magic_quotes_gpc() ? stripslashes($string) : $string;

    Which is obviously giving error

    Deprecated: Function get_magic_quotes_gpc() is deprecated

    Question:

    How can I fix it? So can work the same without using get_magic_quotes_gpc() function?

    • Phil
      Phil about 4 years
      Since PHP no longer adds slashes to request parameters (removed in PHP 5.4), get_magic_quotes_gpc() always returns false. With that in mind, you don't have to do anything to your strings, they should always be clean.
    • Phil
      Phil about 4 years
      I also can't think of any valid reasons to ever use addslashes(). I can't tell why you would have code like your first snippet, even prior to PHP 5.4
    • Code Lover
      Code Lover about 4 years
      @Phil Do you mean PHP handle itself all such vulnerable injection?
    • Phil
      Phil about 4 years
      No, quite the opposite. PHP now no longer gets in the way of developers and leaves securing your app up to you
    • Code Lover
      Code Lover about 4 years
      I see, so could you please suggest me any way to secure it?
    • Phil
      Phil about 4 years
      Secure what and against what vulnerabilities? Your question shows no uses of this code. If you were relying on this code to sanitise SQL query parameters, use prepared statements instead.
    • Code Lover
      Code Lover about 4 years
      I see, got it. Thanks a lot @Phil I appreciate it.
    • Dharman
      Dharman about 4 years
      get_magic_quotes_gpc() together with addslashes() makes no sense.
  • Zefiro
    Zefiro about 3 years
    I disagree to your blanket statement that (all) input sanitation would be unecessary or even preposterous. Instead you need to know what kind of input you can safely handle, and ensure that input matches that. I do agree though that it's a misconception to think once it was sanitized once, it's safe for every further use. FYI get_magic_quotes was a requirement for safe and sane code in the times when magic could just happen to your script. Prepared statements are better, but it should also still look nice, shouldn\'t it? ;)
  • Dharman
    Dharman about 3 years
    @Zefiro Aren't you thinking of input validation? You validate the input you receive to make sure that it is what the application expects, but that has nothing to do with security.
  • Zefiro
    Zefiro about 3 years
    You're right, I did. Though I don't really see a difference here. In case of magic quotes, it was "getting the input in a known state for further processing", i.e. you know whether escaping slashes had been added or not automagically. (and in the times before Prepared Statements that was at least related to security)

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

PHP 7.4 and MySQL Connections
How to avoid deprecation warning by replacing session_unregister with $SESSION[] after upgrading to PHP 5.3?
Converting an ereg_replace to preg_replace
Is it possible to install PHP7.4 on stock Alpine 3.12 Docker image?
mssql_connect no longer working as of PHP 5.3
PHP Error : Unparenthesized `a ? b : c ? d : e` is deprecated. Use either `(a ? b : c) ? d : e` or `a ? b : (c ? d : e)`
PHP Fatal error: Call-time pass-by-reference has been removed
Unable to install PHP 7.4 on Ubuntu 16.04 even with Ondrej PPA repository in apache2
Function ereg_replace() is deprecated - How to clear this bug?
Why is mime_content_type() deprecated in PHP?