问题
Our site is using PHP Version 5.2.14
Lately our hoster probably changed magic-quote defenition, and I came up with the suggested solution [code bellow]
- Is this solution OK for PHP Version 5.2.14 ?
- What should I change when we upgrade to PHP version 6 ?
// Code: function fHandleQuotes($s) { if (get_magic_quotes_gpc()) return ($s); return (addslashes($s)); } . . . // Usage: . . . $query = "UPDATE myTable SET myField = '" . fHandleQuotes($_POST['fieldName']) . "'"; . . .
回答1:
In PHP 6 magic_quotes will be removed!
Now you can use this function.
if( ( function_exists("get_magic_quotes_gpc") && get_magic_quotes_gpc() ) || ini_get('magic_quotes_sybase') ){
foreach($_GET as $k => $v) $_GET[$k] = stripslashes($v);
foreach($_POST as $k => $v) $_POST[$k] = stripslashes($v);
foreach($_COOKIE as $k => $v) $_COOKIE[$k] = stripslashes($v);
}
回答2:
Read this and why you shouldn't use magic quotes:
http://php.net/manual/en/security.magicquotes.disabling.php
Use one of the examples on that page and replace stripslashes
with addslashes
. But yes, your solution probably works. Though it would be faster and less intrusive to just use $_GET = array_map("addslashes", $_GET);
once at startup. Even better would be to use mysql_real_escape_string
instead of addslashes
thereon. (But your database connection must already be established for this to work.)
Also I'd like to spamrecommend you this: http://sourceforge.net/p/php7framework/wiki/input/ - because it allows you to progressively rewrite your application to use $_GET->q["fieldName"]
for (not so secure) magic quoted fields, or simply $_POST->sql["fieldName"]
for (more secure) encoded fields.
You can even use $_REQUEST->sql->always()
to enable the filter per default for all normal $_REQUEST["fieldName"]
accesses. Though that might be overkill for some applications.
来源:https://stackoverflow.com/questions/4077543/using-get-magic-quotes-gpc-on-php-version-5-2-14-or-equivalent-for-php-version-6