Analysis of security issues caused by PHP magic quotes, magic quotes _ PHP Tutorial

Source: Internet
Author: User
Analysis of security issues caused by PHP magic quotes, magic quotes. Analysis of security problems caused by PHP magic quotes. magic quotes PHP may cause security problems by extracting the "" character produced by Magic Quotes. for example, the following code snippet: security issues caused by fo PHP magic quotes, Magic Quotes

PHP may cause some security problems by extracting the \ characters produced by magic quotes. for example, the following code snippet:

// foo.php?xigr='ryatfunction daddslashes($string, $force = 0) {!defined('MAGIC_QUOTES_GPC') && define('MAGIC_QUOTES_GPC', get_magic_quotes_gpc());if(!MAGIC_QUOTES_GPC || $force) {if(is_array($string)) {foreach($string as $key => $val) {$string[$key] = daddslashes($val, $force);}} else {$string = addslashes($string);}}return $string;}...foreach(array('_COOKIE', '_POST', '_GET') as $_request) {foreach($$_request as $_key => $_value) {$_key{0} != '_' && $$_key = daddslashes($_value);}}echo $xigr['hi'];// echo \

The above code originally expected to get an array variable $ xigr ['hi'] After the daddslashes () security processing, but did not strictly define the type of the variable $ xigr, when we submit a string variable $ xigr = 'ryat and convert it to \ 'ryat after the above processing, \ will be output at the end of $ xigr ['hi \, if this variable is introduced into an SQL statement, it will cause serious security problems. let's take a look at the following code snippet:

...if($xigr) {foreach($xigr as $k => $v) {$uids[] = $v['uid'];}$query = $db->query("SELECT uid FROM users WHERE uid IN ('".implode("','", $uids)."')");

By submitting foo. php? Xigr [] = '& xigr [] [uid] = evilcode can easily break through GPC or similar security processing to form an SQL injection vulnerability! Pay enough attention to this!


[Php learning] Teach 1 magic quote correction function

Thanks for your understanding. the function should be used to remove the backslash added to the magic quotes function and use addslashes () or mysql_real_escape_string () as needed ().
 

Thinkphp automatically adds a "/" solution to php magic quotes when uploading connected or images.

Are you sure you want to add "/" to the passed value? if it is "/", you can try to replace "/" with null in the Action.
Previously, the value I uploaded was added with "\", so I used stripslashes ($ _ POST ['CK.

When PHP extracts the \ character produced by magic quotes, security issues may occur. for example, the following code snippet: // fo...

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.