Security principle analysis using addslashes function escape in PHP, addslashes escape _php Tutorial

Security principle analysis using addslashes function escaping in PHP, Addslashes escaping

This paper describes the security principle analysis of PHP using Addslashes function escaping. Share to everyone for your reference. The specific analysis is as follows:

First look at the prototype of Addslashes_deep in Ecshop.

Copy the Code code as follows: function Addslashes_deep ($value) {
if (empty ($value)) {
return $value; If it is empty, return directly;
} else {
Return Is_array ($value)? Array_map (' Addslashes_deep ', $value): Addslashes ($value);
}//recursively manipulate arrays until all array elements are traversed;
}
There is no problem with the Addslashes_deep function itself, but be careful when using it
It just happened to be on the internet today. Someone sent a bug injection vulnerability using this function
This function, when referencing the callback function addslashes, escapes only the value of the data, so if a consumer references an array's key for specific processing in this procedure, there is a risk of $key injection, at which point the Addslashes_deep function can be changed to escape the key value at the same time. or explicitly not referencing key content when used.

I hope this article is helpful to everyone's PHP programming.

The purpose of the addslashes () function in PHP

Addslashes--use a backslash to reference a string

String addslashes (String str)

Returns a string that is preceded by a backslash in order for the database query statement to be preceded by some characters. These characters are single quotes ('), double quotation marks ("), backslashes (\), and NUL (the NULL character).

An example of using addslashes () is when you want to enter data into the database. For example, the name O ' Reilly is inserted into the database, which needs to be escaped. Most databases use \ as escape character: O\ ' Reilly. This allows the data to be placed in the database without inserting additional \. When PHP instruction Magic_quotes_sybase is set to ON, it means that the insert ' will be used ' to escape.

By default, PHP instruction MAGIC_QUOTES_GPC is on, and it is primarily for all GET, POST, and COOKIE data automatically run Addslashes (). Do not use Addslashes () for strings that have been MAGIC_QUOTES_GPC escaped, because this results in double-layer escaping. You can use the function GET_MAGIC_QUOTES_GPC () to detect this situation.

Addslashes escape and not be able to raise the normal, what do I put forward with the escape can not be mentioned

See if you need to dereference a string that is escaped with addcslashes, and use the stripcslashes function to unlock

http://www.bkjia.com/PHPjc/904929.html www.bkjia.com true http://www.bkjia.com/PHPjc/904929.html techarticle the security principle analysis using addslashes function escaping in PHP, Addslashes escaping this article describes the security principle analysis using addslashes function escaping in PHP. Share to everyone ...

