什么时候filter_input()删除POST变量的斜线? [英] When does filter_input() remove slashes of POST variables?
问题描述
我创建了一个小的PHP脚本,该脚本在启用了PHP 5.2.17且启用了magic_quotes_gpc指令的服务器上运行.
I created a small PHP-script, that runs on a server with PHP 5.2.17 and the magic_quotes_gpc directive enabled.
我没有对php.ini文件的写访问权,我想删除用户输入中的所有斜杠.
I have no write-access to the php.ini file, and I'd like to remove all slashes from user inputs.
即使关闭magic_quotes_gpc指令(例如,将脚本移动到另一台服务器时),此方法也应起作用.
This should work even if the magic_quotes_gpc directive is turned off (for example when moving the scripts to another server).
当用户提交数组时,它也应该递归工作.
我更喜欢使用内置功能.</p>
It should also work recursively when arrays are submitted by the user.
I prefer using a built in-function.
<html>
<head>
<title>HP</title>
</head>
<body>
<form method="POST" action="magic.php">
<input type="text" value="te\\"st" name="test1">
<input type="text" value="te\\"st" name="test2[tw"o]">
<input type="submit" value="submit">
</form>
<?php
echo "<pre>";
echo "magic_quotes: ".get_magic_quotes_gpc()."\n";
echo "<hr>test1";
echo "filter_input: ".filter_input(INPUT_POST, "test1")."\n";
echo "POST: ".$_POST['test1']."\n";
echo "<hr>test2 (filter)";
print_r(filter_input_array(INPUT_POST))."\n";
echo "<hr>test2 (post)";
print_r($_POST)."\n";
echo "</pre>";
?>
</body>
</html>
哪个在我的服务器上给出以下结果:
Which gives the following result on my server:
magic_quotes: 1
filter_input: te\\"st
POST: te\\\\\"st
test2 (filter)Array
(
[test1] => te\\"st
[test2] => Array
(
[tw\"o] => te\\"st
)
)
test2 (post)Array
(
[test1] => te\\\\\"st
[test2] => Array
(
[tw\"o] => te\\\\\"st
)
)
似乎除阵列键外,斜杠也已删除.
It seems that except for the array keys the slashes are removed.
还是没有添加斜线? (filter_input()和filter_input_array()可能会忽略magic_quotes_gpc指令,因为它已被弃用;但我找不到该指令的引用)
Or are the slashes never added? (filter_input() and filter_input_array() might ignore the magic_quotes_gpc directive, since it is deprecated; but I could not find a reference for that)
删除/不设置filter_input()和filter_input_array()的斜杠的行为是否取决于系统参数?
我不理解此处的警告.
Is the behaviour for removing/not setting the slashes of filter_input() and filter_input_array() somehow dependent on system-parameters?
I don't understand the warning here.
推荐答案
在官方文档中未能成功找到它,但是filter_input()函数对原始数据起作用,并且不受magic_quotes设置的影响.消毒过滤器FILTER_SANITIZE_MAGIC_QUOTES会在需要时将它们放入.
I've been unsuccessful in finding it in official documentation, but the filter_input() function operates on the raw data, and is unaffected by magic_quotes settings. The sanitize filter, FILTER_SANITIZE_MAGIC_QUOTES, will put them in if you need them.
这对我个人而言是个福音,因为我正在使用已打开magic_quotes的旧系统.通过使用filter_input()函数,我可以使用值,而不必在将它们绑定到PDO之前去除斜杠.
It's been a boon for me personally, because I'm working in a legacy system that has magic_quotes turned on. By using the filter_input() function I can use the values without having to strip slashes before binding them in PDO.
这些文章都在谈论它:
http://www.sitepoint.com/forums/showthread.php 590848-Filter_input-magic-quotes
https://weston.ruter.net/2013/10/22/revelations-about-filter_input/
http://php.net/manual/en/function.filter-input .php#99124
These articles talk about it:
http://www.sitepoint.com/forums/showthread.php?590848-Filter_input-magic-quotes
https://weston.ruter.net/2013/10/22/revelations-about-filter_input/
http://php.net/manual/en/function.filter-input.php#99124
这篇关于什么时候filter_input()删除POST变量的斜线?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
