The Joomla! Forum ™

Hi folks

I am getting this message in our sites:

PHP magic_quotes_gpc setting is `OFF` instead of `ON`

However in http://forum.joomla.org/index.php/topic,81058.0.html is written:

"Adjust the magic_quotes_gpc directive as needed for your site. It should be OFF for well written software, and on for poorly written PHP 3 and PHP 4 scripts. magic_quotes_gpc sets the magic_quotes state for GPC (Get/Post/Cookie) operations."



Which one should we trust?. I hear leaving this in OFF is the most secure.

Cheers

David.

_________________
http://www.curefans.com

According to the official PHP site, you should write scripts securly so that they don't need magic_quotes_gpc ON. That's the ideal, and starting with PHP 6 it will be the only way to do it. Until then, if you have scripts that don't validate input values at runtime (always a bad thing), you are safer with magic_quotes_gpc ON.

_________________
Home: http://www.ronliskey.com
Business http://www.communitygrove.com

I understand. But the only program I have installed is Joomla (and I have it installed for several websites). There are not other scripts. Then, why this message appears?

_________________
http://www.curefans.com

Joomla will work with either setting. All magic_quotes_gpc = On does is basically addslashes() which is a simple way of escaping input.  Joomla knows that this may have occurred so it does stripslashes() before it starts working with the raw data and then escapes it properly depending on what the data is being used for.  The warning is geared more toward Joomla extensions that don't use the framework properly and do things their own way, while not necessarily a bad thing, it often is because they don't sanitize user input well enough or properly. 

_________________
Rob Schley - Open Source Matters
Webimagery - http://www.webimagery.net/ - Professional Consulting Services
JXtended - http://www.jxtended.com/ - Free and Commercial Joomla! Extensions

Very very good catch    Thanks

There is an error in that post. With all these OFF and ON's there is always room for an error... The Joomla! warnings are correct in this case.

In fact all well written php code (which is the case of Joomla! itself), and extensions can work with magic_quotes_gpc ON or OFF.

What this php setting does is "escape" quotes and backslashes on parameters given in the URL e.g. ¶meter=o'dowd :

So that if an SQL request is performed without taking in account magic_quotes_gpc, and doing proper escaping, you are still on the safe side (as PHP did already the escaping for you).

So it's an additional efficient line of defense against most SQL injection vulnerabilities. E.g. all such potential vulnerabilities of previous releases of joomla and mambo, that got addressed by joomla 1.0.11 itself are not dangerous for servers with magic_quotes_gpc ON.

Same goes for 3PD extensions.

So magic_quotes_gpc ON does no harm as the mosGetParam() function of Joomla takes that in account for well written software, but adds an efficient line of protection for less well written extensions or bugs/forgettings.

Reference about SQL injections:
http://en.wikipedia.org/wiki/Sql_injection

Conclusion: recommended setting:

magic_quotes_gpc ON  (like in joomla! 1.0.11 warnings).


The security article:
http://forum.joomla.org/index.php/board,267.0.html
should be changed (will post there link to here).

_________________
Beat
www.joomlapolis.com <= Community Builder + CBSubs Joomla membership payment system - team
hosting.joomlapolis.com <= Joomla! Hosting, by the CB Team

Ok .. and now for the rest of us .. how do we turn the setting ON?

_________________
Rob

Beat -

The Joomla! Administrator's Security Checklist < http://forum.joomla.org/index.php/topic,81058.0.html >

STILL shows this setting:


And, you are asking it be updated like this, correct?


Thanks for the clarification!

Amy 

Yes, please:


Also this:



Could be maybe more clear like this (please correct/clarify further as needed for simple understanding):


Adjust the magic_quotes_gpc directive to ON on production sites for an additional line of defense against potential SQL injections. Well-written software takes this setting in account and runs with setting ON or OFF. Well written software will still be safe with this setting OFF, while poorly written code or code with fergotten escapings/bugs will be better protected with this setting ON. magic_quotes_gpc sets the magic_quotes state for GPC (Get/Post/Cookie) operations. When magic_quotes are on, all ' (single-quote), " (double quote), \ (backslash) and NUL's are escaped with a backslash automatically, which avoids SQL injection vulnerabilities, if those variables are used as is without proper check for escaping. Developpers MUST test their code with this setting both ON and OFF, and in the case of OFF, try all URL GET and forms POST parameters with those special characters. The official PHP Manual states, "It's preferred to code with magic quotes off and to instead escape the data at runtime, as needed." Note also that PHP 6 will only run as if magic_quotes_gpc is off, so you might as well start cleaning up your scripts now.

_________________
Beat
www.joomlapolis.com <= Community Builder + CBSubs Joomla membership payment system - team
hosting.joomlapolis.com <= Joomla! Hosting, by the CB Team

Beat - I think that is MUCH better, but I would even cut your explanation MORE:



IMO, that is PLENTY. I have ALWAYS found that stupid description to be so confusing with its double negative approach! Most people don't care why, they just want to know WHAT. (IMO).

Beat - and anyone else - I was worried last night about people getting confused by seeing specific configuration setting warnings -- and a link to the very comprehensive guide -- not knowing specifically what they needed to do.

Some of us are NOT SO GEEKY! If you know what I mean, we want to know specifically what you suggest, we are never going to take a test, so we are not trying to "learn", and we are AFRAID!

I am seeing some of that confusion, now. So, I made this thread entitled Joomla! 1.0.11 Security Configuration Instructions < http://forum.joomla.org/index.php/topic ... #msg457019 > to get them started. Would you look at it and see if it makes sense to someone who is seeing warnings on the install to get them to the right information, and finally, into the broader guide?

I will PM rlinksey so that he can see your suggestion for the "1" setting here and hopefully update the Admin Guide. (Don't get me wrong, the Admin Guide is AMAZING, it's just a bit overwhelming to "fall into" from the install when you just had one little warning to fix.)

Thanks!
Amy

@rjschad -

Sorry for not seeing your polite little post lost in all that technogarble! Please try this Joomla! 1.0.11 Security Configuration Instructions < http://forum.joomla.org/index.php/topic ... #msg457019 > and, if it's still confusing, get more obnoxious! 

Amy 

Amy,
You are right...even one two words "or code" to much...

As Churchill started a 2 pages letter...: 


It's so true... right to the point 



You are right. 1.0.11 Release needed to go out asap, because of its critical nature of security fixes in Joomla itself.

But at the same time, it was time to do something about recurring security concerns of 3pd extensions, and also protect Joomla better against yet unknown potential vulnerabilities, and to make people realize quickly if they run on insecurely configured hosts. This comprehensive guide was the very best piece of information available to link to at release time.

The idea was to add a first part to that comprehensive guide for the most important settings, or a link to a post to be made, like it now exists from you < http://forum.joomla.org/index.php/topic ... #msg457019 >.

Actually, moving up the 3 critical settings (php register_global, php magic_quotes_gpc, and joomla RG_EMULATION) up a bit, and a link to your excellent post, linking to the excellent threads is a quick first step.

Second step would be, once all the wealth of information from forum are consolidated into these threads, would be to move them into a new Site Security chapter in the Joomla Manuals, with a smooth admin learning curve.

Third step would be to simply link this post to this security chapter.

Fourth step would be to add this chapter to the online joomla help



When talking about internet security, it's always better to be in defensive mode

And with quite some 3pd Joomla! extensions, it's better to be afraid...and get those settings right :

I review quite a few extensions and, and way to often find vulnerabilities, which ARE INDEED protected by those settings 99% of the time.

Best proof is that I don't know yet of ANY Joomla+3PD extensions site which got hacked when those 3 settings were correctly configured, and software kept up-to-date.

So yes, it's ok with me to be scared if they are not right.

Other large PHP software installer will even REFUSE to install if these security settings are not right.



Excellent post. As said above, i think that a little reading of the broader guide before hands-on fixing with these  is also very good. Probably integrating both and the post in a new Joomla! installation security chapter of the Manual would be excellent.

Minor comments to your post:
allow_f_url_open = 0  => true that it increases security, but it will break a few components (like "URL Links" backend function in Docman), there is a thread on this topic somewhere.
safe_mode = 1 => it's another line of defense on shared hosts, but might not allow joomla components,modules,extension installer to work depending on other safe_mode settings. Joomla 1.5 fixes that.
Function exec is sometimes (rarely) needed for some libraries (like ImageMagic)



Thank You for making this technocratic information understandable to our user-community, it's very important.

Sorry to be too long again  but really can't edit it 3rd time (2am here). I'm sure you will do an excellent, better understandable, summary

_________________
Beat
www.joomlapolis.com <= Community Builder + CBSubs Joomla membership payment system - team
hosting.joomlapolis.com <= Joomla! Hosting, by the CB Team

It's definitley safer to have magic_quotes_gpc on.  However, the only potential problem with having it on is when double escaping occurs somewhere in your program code, which of course, could cause some database inputs to look like this "O\'Reilly", when the intent is to have it look like this "O'Reilly" for example.

The best way to handle the unnecessary backslash(es) is to have a custom escaping function that takes into account the php magic_quotes_gpc setting and then produces the safe mysql input accordingly.  Good applications will use custom escaping functions, and one example is the following:


I have a question though for the smart guys out there with regard to properly coding custom escaping functions that take into account the magic_quotes_gpc settings.

I've seen some custom escaping functions that simply return the input value if magic_quotes_gpc is set to on.  Which leaves the impression that the escaping done by magic_quotes_gpc is good enough for mysql input.

My question is whether a magic_quotes_gpc escaped value is just as safe stripping the slashes from the magic_quotes_gpc escaped value and then running it through a more encompassing mysql escaping function like say mysql_real_escape_string or mysql_escape_string?

Since I've seen some custom escaping functions out there just return the magic_quotes_gpc value if it is on, I'm wondering what benefits the more encompassing mysql escape functions might've provided above and beyond magic_quotes_gpc, if any.

Just curious for some of the custom apps I've been writing.

_________________
-Tyler D.
Web Developer & Integrator: http://www.LasVegasExtremes.com

reply is here :

http://forum.joomla.org/index.php/topic ... #msg457124

take also a look at the Community Builder API document ( http://www.joomlapolis.com/component/op ... Itemid,36/ ), there is a section on proper escaping and testing these escapings...

btw: I'm not pretending to be an expert, just trying to share the little experience accumulated in trying to do highly defensive web-applications development. 

We have way more experienced php developpers here and in the Internet.

_________________
Beat
www.joomlapolis.com <= Community Builder + CBSubs Joomla membership payment system - team
hosting.joomlapolis.com <= Joomla! Hosting, by the CB Team

thx beat, looking through that API made me realize some important areas where I needed to perform some escapes on my SQL data.

I greatly appreciate the link to the informative gpc quotes discussion and the API documentation

_________________
-Tyler D.
Web Developer & Integrator: http://www.LasVegasExtremes.com

Beat -

I have been pulling together User Guide stuff for awhile, now -- planning, installing, design, building, security, performance, etc., so, I will continue with this, too, and ask lots of questions, I am certain. I mentioned this to RobS, too. The way you are talking is EXACTLY how I feel about some overall theory so that the concepts of what you need to accomplish and why are in place. Then, the "step by step" instructions, of course. Hopefully, I can share draft section copies within a couple of weeks. I would like to have it available for the community with the 1.5 rollout.

Added this:


Once I read your comments, I am reminded I have seen several Docman failures tonight -- wonder if it's related? I'll try to find those people and see. Thanks so much -- you have very good end-user skills for an intense coder! Pretty rare dual quality -- and very helpful, maybe why community builder is a hit?

Amy

@Tyler - glad you found a geekie friend for your techie questions! You know, it is starting to get cooler outside -- you might want to put a sweater on before you catch a cold.

Luckily Amy, I'm in California   And even more fortunate is that Beat has been an old friend since he shared his great answers with me long ago, back when I was testing the CB RC2 betas. 

If I recall correctly, he even answered me on this exact same subject matter (that I also asked him about some 10 months ago), except back then, his answers were way over my head and didn't quite register, but thankfully he has kindly re-iterated the same answer to me again w/o saying "hey, didn't I already explain this to you once!", LOL

No doubt, Beat is great for the 101'ers

_________________
-Tyler D.
Web Developer & Integrator: http://www.LasVegasExtremes.com

It gives me an headache all theses explanations...   :'(

Edit: My apologies as I was told I confused the variables names, and the versions: this topic is for Joomla 1.5 and I have 1.0.11. Also, the variable name that was recommanded to be put at ON on 1.5 is magic_quotes_gpc while I was talking about the variable of the 1.0.11 "RG_EMULATION"   
On my Joomla since my new upgrade to 10.0.11, I have a warning saying:

Following PHP Server Settings are not optimal for Security and it is recommended to change them:

PHP register_globals setting is `ON` instead of `OFF`
Joomla! RG_EMULATION setting is `ON` instead of `OFF` in file globals.php
`ON` by default for compatibility reasons
Please check the Official Joomla! Server Security post for more information.


So Now I am confused you said it should be left at "on" but why it is asking me to put it OFF then?
Edit again: As I said this is incorrect because Beat was talking about another variable

I am a newbie I wont understand the long security explanations.... THe only other stuff I am using with Joomla is an addon called BoltVideo or something... thats it!!

Oh and thats another subject but on your security post you said to rename htaccess.txt in .htaccess... I did it and then I couldnt access my website... so I renamed the file in htaccess.txt, but still no access!!! I cleaned the temp files, refresh...still no access! 

SO I had to reput the htaccess.txt  found in the ZIp of upgrade from 10.0.10 to 10.0.11



Cheers by the way 

Whether RG are On or OFF is open to legitimate debate. If every PHP script on your site is well-written and alll user input is always, competely, correctly verified, then RG can be turned ON without risk.

BUT, if you have by any chance installed an extension that lets a cracker upload a trojan horse, this can allow the cracker to send commands through Global variables to the trojan horse. Once this can be done your site is completely compromized. When this happens, (Note that I didn't say "If"), your best course will be to delete your entire site and start over.

BTW: It does not matter if the poorly written extension is "turned on" within Joomla!. This is because every php script is always ON from the PHP interpreter's point of view. In other words, if a PHP script can be accessed though the URL and the PHP interpreter is working, that script is "ON".

BTW2: If this explanation is too complicated, or gives you a headache, you should hire a security pro to secure your site. 

_________________
Home: http://www.ronliskey.com
Business http://www.communitygrove.com

Hi,

Good info here!

Two questions:

1. Just wondering what the proper settings are for magic_quotes_runtime and magic_quotes_sybase?
I have them currently set to OFF in my server. I also have magic_quotes_gpc set to OFF and the site runs fine. What problems might I expect with existing content if I change the setting for magic_quotes_gpc to ON? Based on the above, it doesn't seem like it would affect it, but I just want to be sure.

2. On a client site hosted on their own server, when I view source, all single quotes have been replaced by their HTML entity equivalents. The site seems to run fine but IE is kicking back javascript errors. The server admin did a find and replace on the database file to replace all iterations of two single quote entities ('') with two apostrophes (''). It runs, but now the Joomla popup windows don't work anymore. Which is the correct way to handle this? Should I just ignore the html entities in the source (and content database)? My other Joomla sites (on my server) display the source with the single quotes in the code, so this HTML entity stuff is confusing.
Here are the settings the client server has: magic_quotes_gpc = ON, magic_quotes_runtime = OFF, magin_quotes_sybase = OFF.

Thanks,
Railer

Best practices for magic quotes for n00bs like me  who does not have control over the php.ini file in a shared server environment:

http://www.nyphp.org/phundamentals/stor ... ieving.php

SIMPLE ANSWER.... ( these explanations come from some hard core geeks.. )

Paste this in your .htaccess