|Ned Batchelder : Blog | Code | Text | Site|
PHP and magic quotes
» Home : Blog : October 2003
I just added a preview button to my comment system (try it out!), and along the way was reminded about what is good and bad about PHP. It isn't two different things, it's one thing: magic.
As I was working on the preview button, I was nagged by something which had bothered me before: string quoting with slashes. Looking at the data I was getting back from POSTed web forms, it already had slashes in it to quote apostrophes, double quotes, and so on. I thought I had added them myself somewhere, but could not find the place I had called addslashes. It's natural that while passing strings from posted forms to MySQL and back to HTML, there's a lot of slash-munging. I figured I had an old call to addslashes somewhere.
It turns out I didn't. There is a configuration setting which automatically applies slash-quoting to the values retrieved from GET, POST, and COOKIE values. The setting is called magic_quotes_gpc. It can be set in the php.ini file, and its value can be checked with the get_magic_quotes_gpc function. There is no way to programmatically change its setting.
There's another similar setting called magic_quotes_runtime which applies quoting automatically to external data such as databases and file contents. It can be queried with the get_magic_quotes_runtime function, and also changed programmatically with the set_magic_quotes_runtime function. Why can one be changed at runtime and the other cannot? I don't know. Maybe there's a good reason, maybe not.
But if you have a more analytical approach, then magic_quotes_gpc is the kind of thing that will drive you nuts. I spent twenty minutes today rediscovering this magic quoting feature, because I couldn't figure out why there were slashes in my POST data.
PHP is not clean. Its strength is that it is grungy, but in precisely the right ways to make simple server-side coding tasks easy. It provides tight integration between the programming language and the web server, it has a rich library for doing lots of webby stuff, and it has a simple forgiving feel to it. But once you graduate to larger coding projects, or delivering software to someone else's server, or structuring your code for more modularity, then PHP begins to run out of steam, and its initial strengths become weaknesses.
tagged: php» 8 reactions