问题
If I have magic_quotes
switched on and I use mysql_real_escape_string
, will the string be double escaped? Will it cause problems?
I assume so based on the get_magic_quotes()
function but just seeking confirmation.
(P.S. It's easier to ask this question than test it in my office with all the security we have in place - It takes me 10-15 to configure everything to get a usable environment)
回答1:
If you escape a value obtained from get/post/cookie input, it will already have addslashes() applied to it, so passing it through mysql_real_escape_string()
will in fact, double quote.
To strip em:
if (get_magic_quotes_gpc())
{
$_GET = json_decode(stripslashes(json_encode($_GET, JSON_HEX_APOS)), true);
$_POST = json_decode(stripslashes(json_encode($_POST, JSON_HEX_APOS)), true);
$_COOKIE = json_decode(stripslashes(json_encode($_COOKIE, JSON_HEX_APOS)), true);
$_REQUEST = json_decode(stripslashes(json_encode($_REQUEST, JSON_HEX_APOS)), true);
ini_set('magic_quotes_gpc', 0);
}
This question has some other options for stripping quotes / dealing with the horrible magic_quotes_gpc
PHP 'feature'.
回答2:
Read the documentation of mysql_real_escape_string (I hope this is not difficult as well):
Note: If
magic_quotes_gpc
is enabled, first apply stripslashes() to the data. Using this function on data which has already been escaped will escape the data twice.
回答3:
Of course, the easiest way is to turn magic_quotes off.
wuth usual PHP/Apache config, this line
php_flag magic_quotes_gpc 0
in the .htaccess
file will do the thing.
but for the compatibility purpose, a function can be used in some config file too.
if ( get_magic_quotes_gpc( ) ) {
$_GET = array_map_recursive('stripslashes', $_GET) ;
$_POST = array_map_recursive('stripslashes', $_POST) ;
$_COOKIE = array_map_recursive('stripslashes', $_COOKIE) ;
$_REQUEST = array_map_recursive('stripslashes', $_REQUEST) ;
if (isset($_SERVER['PHP_AUTH_USER'])) stripslashes($_SERVER['PHP_AUTH_USER']);
if (isset($_SERVER['PHP_AUTH_PW'])) stripslashes($_SERVER['PHP_AUTH_PW']);
}
one of the easiest
回答4:
If I have magic_quotes switched on and I use mysql_real_escape_string, will the tring be double escaped?
Yes, it will but you could do something like this though:
if (get_magic_quotes_gpc())
{
$escaped = stripslashes($your_vars);
}
Note: You can disable the magic quotes from PHP.ini or use the below function to override it:
// no more magic quotes
function get_magic_quotes_gpc()
{
return false;
}
来源:https://stackoverflow.com/questions/2688526/does-using-magic-quotes-affect-the-use-of-mysql-real-escape-string