PHP 7.4不推荐使用get_magic_quotes_gpc函数替代 [英] PHP 7.4 deprecated get_magic_quotes_gpc function alternative

问题描述

我遇到的情况是，我的旧代码之一使用的是get_magic_quotes_gpc()，而最新的 PHP版本7.4.*

I am encountered with the situation where one of my old code is using get_magic_quotes_gpc() which is deprecated in the latest PHP version 7.4.*

目前，我有这样的事情.

Currently, I have something like this.

return get_magic_quotes_gpc() ? addslashes($string) : $string;

删除斜杠

return get_magic_quotes_gpc() ? stripslashes($string) : $string;

显然是错误的

已弃用:函数get_magic_quotes_gpc()已弃用

Deprecated: Function get_magic_quotes_gpc() is deprecated

问题:

我该如何解决?不用使用get_magic_quotes_gpc()函数就可以工作吗?

How can I fix it? So can work the same without using get_magic_quotes_gpc() function?

推荐答案

您需要从代码中删除对此功能的所有提及，不要将其替换为其他任何内容.

You need to remove every mention of this function from your code and do not replace it with anything else.

get_magic_quotes_gpc()一直没有用.它会告诉您是否在配置中打开了魔术引号.魔术引号是一个糟糕的主意，出于安全原因，此功能已被删除(PHP开发人员相信魔术和迷信并编写了不安全的代码).

get_magic_quotes_gpc() has been useless ever since PHP 5.4.0. It would tell you whether you have magic quotes switched on in the configuration or not. Magic quotes were a terrible idea and this feature was removed for security reasons (PHP developers believed in magic & superstitions and wrote unsecure code).

即使您自己也很可能不知道为什么您的项目中有这行代码.我知道我在学习PHP时就被它愚弄了.现实情况是您根本不需要它.此功能与安全性无关，输入清理的概念是荒谬的.

Most likely even you yourself do not know why you had this line of code in your project. I know I was fooled by it when I was learning PHP. The reality is you do not need it at all. This function has nothing to do with security and the concept of input sanitization is preposterous.

相反，请依赖良好的安全准则.

Instead, rely on good security guidelines.

• 使用参数化的准备好的语句与数据库进行交互. PHP有一个非常好的库，称为PDO，可以与包括MySQL在内的许多数据库驱动程序一起使用.
• 如果您产生输出，则请考虑该介质的规则，对输出进行转义.例如，在输出为HTML时，使用htmlspecialchars()防止XSS.
• 切勿清理输入.没有任何一种神奇的解决方案可以保护您免受一切侵害.相反，作为开发人员，您必须意识到危险，并且需要知道如何保护代码.

• Use parameterized prepared statements for interactions with the database. PHP has a very good library called PDO, which can be used with many DB drivers including MySQL.
• If you produce output, then escape the output taking into consideration the rules of that medium. For example when outputting to HTML use htmlspecialchars() to prevent XSS.
• Never sanitize input. There is no magical solution that would protect you against everything. Instead, you as a developer must be aware of dangers and you need to know how to protect your code.

这篇关于PHP 7.4不推荐使用get_magic_quotes_gpc函数替代的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！