PHP中的魔术引号 [英] Magic quotes in PHP
问题描述
根据 PHP手册,为了使代码更具可移植性,他们建议使用类似于以下内容的转义数据:
According to the PHP manual, in order to make code more portable, they recommend using something like the following for escaping data:
if (!get_magic_quotes_gpc()) {
$lastname = addslashes($_POST['lastname']);
} else {
$lastname = $_POST['lastname'];
}
我还有其他要执行的验证检查,但是从转义数据的角度来看,上述检查的严格性如何?我还看到在PHP 6中将不再使用魔术引号.这将如何影响上述代码?我希望不必依赖于特定于数据库的转义函数,例如mysql_real_escape_string().
I have other validation checks that I will be performing, but how secure is the above strictly in terms of escaping data? I also saw that magic quotes will be deprecated in PHP 6. How will that affect the above code? I would prefer not to have to rely on a database-specific escaping function like mysql_real_escape_string().
推荐答案
引号在本质上是被破坏的.它们本来是要清理PHP脚本的输入,但是如果不知道该输入将如何使用,就不可能正确地清理.如果有的话,最好检查一下是否启用了魔术引号,然后在$ _GET/$ _ POST/$ _ COOKIES/$ _ REQUEST上调用stripslashes(),然后在某个地方使用变量时对其进行清理.例如.如果在URL中使用urlencode(),则将其打印回网页,如果是htmlentities(),则将其存储到数据库时使用数据库驱动程序的转义功能.请注意,这些输入数组可能包含子数组,因此您可能需要编写一个可以递归到子数组中的函数,以去除这些斜杠.
Magic quotes are inherently broken. They were meant to sanitize input to the PHP script, but without knowing how that input will be used it's impossible to sanitize correctly. If anything, you're better off checking if magic quotes are enabled, then calling stripslashes() on $_GET/$_POST/$_COOKIES/$_REQUEST, and then sanitizing your variables at the point where you're using it somewhere. E.g. urlencode() if you're using it in a URL, htmlentities() if you're printing it back to a web page, or using your database driver's escaping function if you're storing it to a database. Note those input arrays could contain sub-arrays so you might need to write a function can recurse into the sub-arrays to strip those slashes too.
PHP 关于魔术引号的手册页同意:
"此功能已被弃用为 PHP 5.3.0的版本,并从PHP移除 5.4.0.强烈建议不要使用此功能.魔术报价是一个 自动逃脱的过程 将数据传入PHP脚本.它是 首选使用魔术引号进行编码 关闭,转而在以下位置转义数据 运行时,视需要而定."
"This feature has been DEPRECATED as of PHP 5.3.0 and REMOVED as of PHP 5.4.0. Relying on this feature is highly discouraged. Magic Quotes is a process that automagically escapes incoming data to the PHP script. It's preferred to code with magic quotes off and to instead escape the data at runtime, as needed."
这篇关于PHP中的魔术引号的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
