PHP 5.3自动从表单字符串转义$ _GET / $ _ POST? [英] PHP 5.3 automatically escapes $_GET/$_POST from form strings?
问题描述
我的服务器管理员最近升级到PHP 5.3,而且我收到了一个奇怪的bug(或者功能,正如PHP人所拥有的那样)。由于明显的安全原因,我的大部分字符串表单数据都有 mysql_real_escape_string ,但现在似乎已经完成了PHP的转义。
My server admin recently upgraded to PHP 5.3 and I'm getting a weird "bug" (or feature, as the PHP folks have it). I had mysql_real_escape_string around most of my string form data for obvious safety reasons, but now it seems this escaping is already done by PHP.
<?php
echo $_GET["escaped"];
?>
<form method="get">
<input type="text" name="escaped" />
</form>
如果我输入例如 escape'this test', escape \'this test\'。如果我使用 POST 而不是 GET 。
This outputs, if I enter for instance escape 'this test', escape \'this test\'. Same goes if I use POST instead of GET.
是直接绑定到5.3升级还是我的管理员可以触发一些自动切换php.ini文件?
Is it directly tied to the 5.3 upgrade or could my admin have triggered some automatic switch in the php.ini file?
另外,我应该离开它如果它确实是一个很好的失败验证机制,正确地捕获所有获取和发布变量),或者我应该禁用它(如果这是可能的话),并返回到 mysql_real_escape_string ?我的胆量告诉我,方法2将是最好的,但方法1将有点自动化。 :)
Also, should I just leave it as is (in the event that it is indeed a good fail proof mechanism that correctly catches all get and post variables), or should I disable it (if that's even possible!) and go back to mysql_real_escape_string? My guts tell me approach 2 would be best, but approach 1 would be somewhat automagical. :)
编辑:其实我需要禁用它。有时,我收集表单数据,并将其重新发送到客户端表单,以防万一出现错误(即缺少字段),所以我不希望他/她从没有地方出现斜杠。
Actually, I need to disable it. Sometimes I gather the form data and resend it to the client form in case something was wrong (i.e. missing field), so I don't want him/her to have slashes appearing out of nowhere.
推荐答案
这个功能被称为 magic_quotes_gpc ,并且不保护您免受所有SQL注入攻击( addslashes 在输入superglobals的每个元素上调用,例如 $ _ POST 和 $ _ GET ,这将忽略实际的输入/数据库编码)。因此不建议使用 。
This "feature" is known as magic_quotes_gpc and does not protect you from all SQL injection attacks (addslashes is called on every element of the input superglobals such as $_POST and $_GET. This ignores the actual input/database encoding). It is therefore deprecated and should not be used.
官方php手册包括一个整洁的方式来撤消它在php代码,但你应该只是关闭它。
The official php manual includes a neat way to undo it in php code, but you should just turn it off.
这篇关于PHP 5.3自动从表单字符串转义$ _GET / $ _ POST?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
