为什么_GET在PHP错误地解码斜线？ [英] Why does _GET in PHP wrongly decodes slash?

问题描述

今天我遇到了一些奇怪的问题，我在文档中找不到正确的解释。请考虑以下代码：

Today I run into some oddity with PHP, which I fail find a proper explanation for in the documentation. Consider the following code:

<?php
echo $_GET['t']. PHP_EOL;
?>

代码很简单 - 在url上需要一个t参数，并将其输出。所以如果你用test.php？t =％5Ca（％5c是一个'\'）调用它，我预计会看到：

The code is simple - it takes a single t parameter on the url and outputs it back. So if you call it with test.php?t=%5Ca (%5c is a '\'), I expected to see:

\a

然而，这就是我所得到的：

However, this is what I got:

$ curl http://localhost/~boaz/test.php?t=%5Ca
\\a

注意双斜杠。任何人都可以解释发生了什么，并提供检索字符串的方式，因为它提供了URL？

Notice the double slash. Can anyone explains what's going on and give recipe for retrieving the strings as it was supplied on the URL?

谢谢，
Boaz

Thanks, Boaz

PS。我正在使用PHP 5.2.11

PS. I'm using PHP 5.2.11

推荐答案

发生这种情况是因为您在php.ini中切换了magic quotes上。在手册中：

This happens, because you have the "magic quotes" switch in php.ini switched on. From the manual:

打开时，全部（单引号），
（双引号），\\反斜杠）和NULL
字符自动转义为
反斜杠，这是
与addslashes（）相同。

When on, all ' (single-quote), " (double quote), \ (backslash) and NULL characters are escaped with a backslash automatically. This is identical to what addslashes() does.

在此阅读更多信息： http://php.net/手动/ en / security.magicquotes.php

为使您的脚本感知php.ini中magic_quotes_gpc设置的任何值，您可以写您的脚本如下所示：

To make your script aware of any value of the "magic_quotes_gpc" setting in php.ini, you can write your script like this:

$d = $_GET["d"];
if (get_magic_quotes_gpc()) $d = stripslashes($d);
echo $d; //but now you are kind of vulnerable to SQL injections
         //if you don't properly escape this value in SQL queries.

这篇关于为什么_GET在PHP错误地解码斜线？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！