All in the <head>

– Ponderings & code by Drew McLellan –

– Live from The Internets since 2003 –

About

Experience is More Important than Knowledge Of Syntax

21 May 2004

I’m still pretty much learning PHP. Having a lot of experience in ASP, and going back further, perl, stands me in excellent stead. Over the years I’ve taught myself a number of different languages, starting with BASIC when I was roughly seven years of age, so I’m pretty comfortable with reading technical documentation and gleaning the information I need. After all, when designing a web application (as I’ve noted previously) it’s the logic that is key, rather than the code. Code can be looked up.

What you can’t gain from the manual, however, is the lessons learned from experience. The user comments on PHP.net give a snapshot of various peoples’ experiences, but it’s incredibly hard to learn from other peoples’ mistakes when it comes to code. The manual can tell you how to use each aspect of the technology, but it won’t tell you what’s best to use in each precise circumstance. There are some things you just have to learn for yourself.

That’s where I am with PHP. I can happily code away, looking up what I need to look up. I know from other programming experience to design by application to be as object-oriented as I can. I know from business experience which elements need to be flexible to the client’s demands. I know from web experience how best to handle security and user input. What I don’t know is how best to do things in PHP.

A case in point. PHP has a really fantastic feature called Magic Quotes. This option, which is set server-wide in the php.ini configuration file, automatically escapes quotes in any user input (GET, POST and cookies). This essentially protects against basic security threats like SQL Injection Attacks, and so enables novice coders and conscientious server admins to sleep at night. For the rest of us it saves an extra step in protecting our code, as we know this is being taken care of.

But do we? As Magic Quotes is a option, it’s enabled on some servers and not on others. This means that if you play it safe and manually use addslashes() to escape your user input, that same input is going to get doubly escaped on a server with Magic Quotes enabled. If you don’t manually protect yourself, you are open to attack on servers that don’t have Magic Quotes enabled. You’re damned if you do and you’re damned if you don’t. That’s the sort of thing you don’t learn from the documentation.

This particular idiosyncrasy burned my fingers today. Not in any major way, but it lost me time and set me back a bit. From experience I now know to do this:

function autoslash($str){
if (!get_magic_quotes_gpc()) {
return addslashes($str);
}else{
return $str;
}
}

If I apply autoslash() to all user input I can be sure that quotes will be escaped predictably, as the function is checking to see if Magic Quotes are on or off.

Writing the code is the easy bit, but experience is more important than knowledge of syntax.

- Drew McLellan

Comments

Tags

Comments

  1. § Simon Willison: Magic quotes are the spawn of the devil, for the exact reason you just discussed: since you don’t know if they’ll be on or off on the server where your code will be running you end up spending more time and effort coming up with workarounds than they would have saved you in the first place! Prepared statements of some sort are a far nicer way of dealing with the escaping problem in a way that reduces the chances of security flaws sneaking in. Python’s DBI modules have a particularly elegant way of dealing with this.
  2. § Matt: You can set magic quotes to be on or off at the beginning of your file. Do this and just go along with it. set_magic_quotes_runtime()
  3. § Drew: Ah, neat. Thanks Matt. Can anyone think of any other helpful features I should be turning off at the same time?
  4. § Scott Plumlee: I’ve been reading Paul Dubois’ excellent introductory book on MySQL (can’t recall the exact name right now) and he creates a function exactly like this. Nice learning tool. Another method he uses is to create a script that will automatically reference the name of the page that the current script is running so it doesn’t have to be hardcoded. That’s probably old hat to most people, but I hadn’t gotten any experience with PHP and the idea that you can have one page that runs different scripts depending on how it’s called was new to me. Finally, he comes up with a function that searches through the POST, GET, and HTTP_POST_VARS or HTTP_GET_VARS arrays to find the values you need, so that if you are on a newer version of PHP, you can call the POST/GET arrays, on older ones the HTTP_POST_VARS/HTTP_GET_VARS arrays. Saved me a bit of time as well.
    Also came up with some functions that would let me create tables, forms, and other repeated code chunks with ids and classes set or not set, depending on what I needed. Basic, I know, but I was just learning.
  5. § Clayton Scott: I agree with Simon. It’s also evil because not all databases have the same escape quotes the same way.

    MagicQoutes is on by default and it took me a really long time to figure out why some text going into the Oracle database was being corrupted
  6. § Simon Willison: set_magic_quotes_runtime only deals with data read from files, not data read from GPC (GET, POST, COOKIE). You can’t change the configuration setting for GPC data in your script because the damage has already been done by that point – the data has already been parsed in to those arrays and possibly escaped before your script has even started execution, so the configuration change at the start of your script will have no effect.

    The really nasty problems come when you try to use two different third party scripts on one page – one that expects magic quotes and one that doesn’t.
  7. § Rad S.: Don’t use register_globals as some dated tutorials use. This means that environment and form variables will come in a standard variable. It creates insecurity since the type of input isn’t specified.

    I favor removing magic_quotes’ work and stripping the slashes instead, as stated above not all databases escape quotes the same way.

    You may want to look at this for some PHP performance tips:
    http://yayforgecko.net/article/19/writing-faster-code-in-php
  8. § Rad S.: By the way, here’s the code I use to disable magic_quotes’ functionality.

    function magicQuotesRemove(&$array) {
    if(!get_magic_quotes_gpc())
    return;
    foreach($array as $key => $elem) {
    if(is_array($elem)) {
    magicQuotesRemove($elem);
    } else {
    $array[$key] = stripslashes($elem)
    }
    }
    }

    magicQuotesRemove($_GET);
    magicQuotesRemove($_POST);
    magicQuotesRemove($_COOKIE);
  9. § Rev. Bob: I didn’t see in your posting whether or not you’re using the annotated PHP manual. Trust me, you want it. http://www.php.net/docs-echm.php
  10. § thomas: There are a lot of professionals and serious hobbyists on IRC channels who I frequently consult when I come across a problem in my code. They get mad if you ask something like, “What does stripslashes do?” but if you want various educated peoples’ advice and opinions about a subject … its the best place to go.

    I like irc.freenode.net. #php for php, #web for HTML/CSS/JS, and there are other channels for MySQL and just SQL, etc. I’d reccomend it. Any say “Hi” to ‘trhaynes’ when you’re in #web. ;)

Photographs

Work With Me

edgeofmyseat.com logo

At edgeofmyseat.com we build custom content management systems, ecommerce solutions and develop web apps.

Recent Links

Affiliation

  • Web Standards Project
  • Britpack
  • 24 ways

About Drew McLellan

Photo of Drew McLellan

Drew McLellan has been hacking on the web since around 1996 following an unfortunate incident with a margarine tub. Since then he’s spread himself between both front- and back-end development projects, and now is Director and Senior Web Developer at edgeofmyseat.com in Maidenhead, UK (GEO: 51.5217, -0.7177). Prior to this, Drew was a Web Developer for Yahoo!, and before that primarily worked as a technical lead within design and branding agencies for clients such as Nissan, Goodyear Dunlop, Siemens/Bosch, Cadburys, ICI Dulux and Virgin.net. Somewhere along the way, Drew managed to get himself embroiled with Dreamweaver and was made an early Macromedia Evangelist for that product. This lead to book deals, public appearances, fame, glory, and his eventual downfall.

Picking himself up again, Drew is now a strong advocate for best practises, and stood as Group Lead for The Web Standards Project 2006-08. He has had articles published by A List Apart, Adobe, and O’Reilly Media’s XML.com, mostly due to mistaken identity. Drew is a proponent of the lower-case semantic web, and is currently expending energies in the direction of the microformats movement, with particular interests in making parsers an off-the-shelf commodity and developing simple UI conventions. He writes here at all in the head and, with a little help from his friends, at 24 ways.

Recommended