Our site is using PHP Version 5.2.14
Lately our hoster probably changed magic-quote defenition, and I came up with the suggested solution [code bellow]
- Is this solution OK for PHP Version 5.2.14 ?
- What should I change when we upgrade to PHP version 6 ?
// Code: function fHandleQuotes($s) { if (get_magic_quotes_gpc()) return ($s); return (addslashes($s)); } . . . // Usage: . . . $query = "UPDATE myTable SET myField = '" . fHandleQuotes($_POST['fieldName']) . "'"; . . .
In PHP 6 magic_quotes will be removed!
Now you can use this function.
if( ( function_exists("get_magic_quotes_gpc") && get_magic_quotes_gpc() ) || ini_get('magic_quotes_sybase') ){
foreach($_GET as $k => $v) $_GET[$k] = stripslashes($v);
foreach($_POST as $k => $v) $_POST[$k] = stripslashes($v);
foreach($_COOKIE as $k => $v) $_COOKIE[$k] = stripslashes($v);
}
Read this and why you shouldn't use magic quotes:
http://php.net/manual/en/security.magicquotes.disabling.php
Use one of the examples on that page and replace stripslashes with addslashes. But yes, your solution probably works. Though it would be faster and less intrusive to just use $_GET = array_map("addslashes", $_GET); once at startup. Even better would be to use mysql_real_escape_string instead of addslashes thereon. (But your database connection must already be established for this to work.)
Also I'd like to spamrecommend you this: http://sourceforge.net/p/php7framework/wiki/input/ - because it allows you to progressively rewrite your application to use $_GET->q["fieldName"] for (not so secure) magic quoted fields, or simply $_POST->sql["fieldName"] for (more secure) encoded fields.
You can even use $_REQUEST->sql->always() to enable the filter per default for all normal $_REQUEST["fieldName"] accesses. Though that might be overkill for some applications.
来源:https://stackoverflow.com/questions/4077543/using-get-magic-quotes-gpc-on-php-version-5-2-14-or-equivalent-for-php-version-6