PHP 中的魔术引号 [英] Magic quotes in PHP

问题描述

根据 PHP 手册，为了使代码更具可移植性，他们建议使用以下内容来转义数据:

According to the PHP manual, in order to make code more portable, they recommend using something like the following for escaping data:

if (!get_magic_quotes_gpc()) {
    $lastname = addslashes($_POST['lastname']);
} else {
    $lastname = $_POST['lastname'];
}

我将执行其他验证检查，但就转义数据而言，上述方法的安全性如何?我还看到 PHP 6 中将弃用魔术引号.这将如何影响上述代码?我宁愿不必依赖特定于数据库的转义函数，如 mysql_real_escape_string().

I have other validation checks that I will be performing, but how secure is the above strictly in terms of escaping data? I also saw that magic quotes will be deprecated in PHP 6. How will that affect the above code? I would prefer not to have to rely on a database-specific escaping function like mysql_real_escape_string().

推荐答案

魔术引号本身就被破坏了.它们旨在清理 PHP 脚本的输入，但不知道将如何使用该输入，就不可能正确清理.如果有的话，您最好检查是否启用了魔术引号，然后在 $_GET/$_POST/$_COOKIES/$_REQUEST 上调用 stripslashes()，然后在您在某处使用它的地方清理您的变量.例如.urlencode() 如果您在 URL 中使用它，htmlentities() 如果您将它打印回网页，或者如果您将它存储到数据库中，则使用您的数据库驱动程序的转义函数.请注意，这些输入数组可能包含子数组，因此您可能需要编写一个函数来递归到子数组中以去除这些斜杠.

Magic quotes are inherently broken. They were meant to sanitize input to the PHP script, but without knowing how that input will be used it's impossible to sanitize correctly. If anything, you're better off checking if magic quotes are enabled, then calling stripslashes() on $_GET/$_POST/$_COOKIES/$_REQUEST, and then sanitizing your variables at the point where you're using it somewhere. E.g. urlencode() if you're using it in a URL, htmlentities() if you're printing it back to a web page, or using your database driver's escaping function if you're storing it to a database. Note those input arrays could contain sub-arrays so you might need to write a function can recurse into the sub-arrays to strip those slashes too.

PHP 魔术引号手册页 同意:

"此功能已被弃用为PHP 5.3.0 和 REMOVED 自 PHP5.4.0.非常不鼓励依赖此功能.魔术行情是一个自动转义的过程传入数据到 PHP 脚本.它是首选使用魔术引号进行编码关闭并转义数据在运行时，根据需要."

"This feature has been DEPRECATED as of PHP 5.3.0 and REMOVED as of PHP 5.4.0. Relying on this feature is highly discouraged. Magic Quotes is a process that automagically escapes incoming data to the PHP script. It's preferred to code with magic quotes off and to instead escape the data at runtime, as needed."

这篇关于PHP 中的魔术引号的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！