Announcement

Collapse
No announcement yet.

what's the vB4.x peformance hit if magic_quotes_gpc remain ON ?

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • what's the vB4.x peformance hit if magic_quotes_gpc remain ON ?

    Just looking into getting vB4.x and when I ran the vbtest script it said "magic_quotes_gpc should be off for optimal performance, ask your host to change this in php.ini "

    I run a dedicated server with a number of legacy site which may be impacted if magic_quotes_gpc is turned off, and we don't want to update those sites just now.

    So can someone please quantify what the performance hit will be on a vB4.x site if we leave magic_quotes_gpc turned on.

  • #2
    it ain't a performance issue exactly more a 'best practise' approach see http://php.net/manual/en/security.magicquotes.php
    :: Always Back Up Forum Database + Attachments BEFORE upgrading !
    :: Nginx SPDY SSL - World Flags Demo [video results]
    :: vBulletin hacked forums: Clean Up Guide for VPS/Dedicated hosting users [ vbulletin.com blog summary ]

    Comment


    • #3
      Originally posted by eva2000 View Post
      it ain't a performance issue exactly more a 'best practise' approach see http://php.net/manual/en/security.magicquotes.php
      I'm not a coder, I'm just going on the advice provided by vBulletin via their vb test script, which says;
      "magic_quotes_gpc should be off for optimal performance, ask your host to change this in php.ini "

      Is this incorrect?

      Comment


      • #4
        With regards to magic_quotes_gpc, optimal performance = best practise approach. For vB itself it doesn't matter as much as comes down to quality of php code and vB itself is fine.When you start adding other php scripts, addon and php hacks to your server, then depending on php coding quality you can introduce issues. Best summed up in 2nd comment of that page i linked to

        The very reason magic quotes are deprecated is that a one-size-fits-all approach to escaping/quoting is wrongheaded and downright dangerous. Different types of content have different special chars and different ways of escaping them, and what works in one tends to have side effects elsewhere. Any sample code, here or anywhere else, that pretends to work like magic quotes --or does a similar conversion for HTML, SQL, or anything else for that matter -- is similarly wrongheaded and similarly dangerous.

        Magic quotes are not for security. They never have been. It's a convenience thing -- they exist so a PHP noob can fumble along and eventually write some mysql queries that kinda work, without having to learn about escaping/quoting data properly. They prevent a few accidental syntax errors, as is their job. But they won't stop a malicious and semi-knowledgeable attacker from trashing the PHP noob's database. And that poor noob may never even know how or why his database is now gone, because magic quotes (or his spiffy "i'm gonna escape everything" function) gave him a false sense of security. He never had to learn how to really handle untrusted input.

        Data should be escaped where you need it escaped, and for the domain in which it will be used. (mysql_real_escape_string -- NOT addslashes! -- for MySQL (and that's only unless you have a clue and use prepared statements), htmlentities or htmlspecialchars for HTML, etc.) Anything else is doomed to failure.
        php noob in this case would the the author or writer of php hacks or other php scripts you install on the same server as vB.

        I guess you could say it's like saying for best driving performance, ensure the driver hasn't consumed lots of alcohol. Sure you could end up safely at your destination, but chances of an accident are much greater with intoxicated driver
        :: Always Back Up Forum Database + Attachments BEFORE upgrading !
        :: Nginx SPDY SSL - World Flags Demo [video results]
        :: vBulletin hacked forums: Clean Up Guide for VPS/Dedicated hosting users [ vbulletin.com blog summary ]

        Comment


        • #5
          Thanks for the response eva2000 , however I'm not looking for an explanation *why* magic quotes are deprecated. I understand that magic quotes will be deprecated in php 5.3 so "best practice" is now to have magic quotes turned off, however I am simply trying to understand the ramifications for vB4.x on a server with magic quotes turned ON.

          The result of the vbtest script indicates that by leaving magic quotes ON, the performance of vB4.x will be sub optimal. I would just like to know what that means for the operation of a vB4.x site.

          I need a meaningful answer to this question so I decide whether to buy vB 4.x

          Comment


          • #6
            It will not make any noticable difference to the actual performance.
            Baby, I was born this way

            Comment


            • #7
              Originally posted by Paul M View Post
              It will not make any noticable difference to the actual performance.
              That's all I needed to know Thanks!

              Comment

              widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
              Working...
              X