Using get_magic_quotes_gpc on PHP Version 5.2.14 o

2019-05-30 06:52发布

问题:

Our site is using PHP Version 5.2.14

Lately our hoster probably changed magic-quote defenition, and I came up with the suggested solution [code bellow]

  1. Is this solution OK for PHP Version 5.2.14 ?
  2. What should I change when we upgrade to PHP version 6 ?
// Code:

function fHandleQuotes($s) {
  if (get_magic_quotes_gpc())
    return ($s);
  return (addslashes($s));
}

. . .
// Usage:

. . . 
$query = "UPDATE myTable SET myField = '" . fHandleQuotes($_POST['fieldName']) . "'";
. . . 

回答1:

In PHP 6 magic_quotes will be removed!
Now you can use this function.

if(  ( function_exists("get_magic_quotes_gpc") && get_magic_quotes_gpc() ) || ini_get('magic_quotes_sybase')  ){
    foreach($_GET as $k => $v) $_GET[$k] = stripslashes($v);
    foreach($_POST as $k => $v) $_POST[$k] = stripslashes($v);
    foreach($_COOKIE as $k => $v) $_COOKIE[$k] = stripslashes($v);
}


回答2:

Read this and why you shouldn't use magic quotes:
http://php.net/manual/en/security.magicquotes.disabling.php

Use one of the examples on that page and replace stripslashes with addslashes. But yes, your solution probably works. Though it would be faster and less intrusive to just use $_GET = array_map("addslashes", $_GET); once at startup. Even better would be to use mysql_real_escape_string instead of addslashes thereon. (But your database connection must already be established for this to work.)

Also I'd like to spamrecommend you this: http://sourceforge.net/p/php7framework/wiki/input/ - because it allows you to progressively rewrite your application to use $_GET->q["fieldName"] for (not so secure) magic quoted fields, or simply $_POST->sql["fieldName"] for (more secure) encoded fields.
You can even use $_REQUEST->sql->always() to enable the filter per default for all normal $_REQUEST["fieldName"] accesses. Though that might be overkill for some applications.