PHP uses “magic quotes” by default but has gotten a lot of flak for it. I understand it will disable it in next major version of PHP.
While the arguments against it makes sense, what I don’t get it is why not just use the HTML entities to represent quotes instead of stripping and removing slashes? After all, a VAST majority of mySQL is used for outputting to web browsers?
For example, ' is used instead of ‘ and it won’t affect the database at all.
Another question, why can’t PHP just have configurations set up for each version of PHP with this tag <?php4 or <?php5 so appropriate interpreters can be loaded for those versions?
Just curious. 🙂
Here’s a good reason, mostly in response to your own posted answer: Using
htmlspecialchars()orhtmlentities()does not make your SQL query safe. That’s what mysql_real_escape_string() is for.You seem to be making the assumption that it’s only the single and double quote characters that pose a problem. MySQL queries are actually vulnerable to the
\x00,\n,\r,\,',"and\x1acharacters in your data. If you are not using prepared statements ormysql_real_escape_string(), then you have an SQL injection vulnerability.htmlspecialchars()andhtmlentities()do not convert all of these characters, ergo you cannot make your query safe by using these functions. To that end,addslashes()does not make your query safe either!Other smaller downsides include what the other posters have already mentioned about MySQL not always being used for web content, as well as the fact that you are increasing the amount of storage and index space needed for your data (consider one byte of storage for a quote character, versus six or more bytes of storage for its entity form).