Analysis of security issues caused by PHP magic quotes, magic quotes _ PHP Tutorial

Analysis of security issues caused by PHP magic quotes, magic quotes. Analysis of security problems caused by PHP magic quotes. magic quotes PHP may cause security problems by extracting the "" character produced by Magic Quotes. for example, the following code snippet: security issues caused by fo PHP magic quotes, Magic Quotes

PHP may cause some security problems by extracting the \ characters produced by magic quotes. for example, the following code snippet:

// foo.php?xigr='ryatfunction daddslashes($string, $force = 0) {!defined('MAGIC_QUOTES_GPC') && define('MAGIC_QUOTES_GPC', get_magic_quotes_gpc());if(!MAGIC_QUOTES_GPC || $force) {if(is_array($string)) {foreach($string as $key => $val) {$string[$key] = daddslashes($val, $force);}} else {$string = addslashes($string);}}return $string;}...foreach(array('_COOKIE', '_POST', '_GET') as $_request) {foreach($$_request as $_key => $_value) {$_key{0} != '_' && $$_key = daddslashes($_value);}}echo $xigr['hi'];// echo \

The above code originally expected to get an array variable $ xigr ['hi'] After the daddslashes () security processing, but did not strictly define the type of the variable $ xigr, when we submit a string variable $ xigr = 'ryat and convert it to \ 'ryat after the above processing, \ will be output at the end of $ xigr ['hi \, if this variable is introduced into an SQL statement, it will cause serious security problems. let's take a look at the following code snippet:

...if($xigr) {foreach($xigr as $k => $v) {$uids[] = $v['uid'];}$query = $db->query("SELECT uid FROM users WHERE uid IN ('".implode("','", $uids)."')");

By submitting foo. php? Xigr [] = '& xigr [] [uid] = evilcode can easily break through GPC or similar security processing to form an SQL injection vulnerability! Pay enough attention to this!

[Php learning] Teach 1 magic quote correction function

Thanks for your understanding. the function should be used to remove the backslash added to the magic quotes function and use addslashes () or mysql_real_escape_string () as needed ().
 

Thinkphp automatically adds a "/" solution to php magic quotes when uploading connected or images.

Are you sure you want to add "/" to the passed value? if it is "/", you can try to replace "/" with null in the Action.
Previously, the value I uploaded was added with "\", so I used stripslashes ($ _ POST ['CK.

When PHP extracts the \ character produced by magic quotes, security issues may occur. for example, the following code snippet: // fo...