Analysis of security problems caused by PHP magic quotes

Source: Internet
Author: User
This article mainly introduces the security problem analysis caused by PHP magic quotes, which is very important for security coding! For more information, see the "\" character produced by extracting magic quotes in PHP. for example, the following code snippet:

// foo.php?xigr='ryatfunction daddslashes($string, $force = 0) {!defined('MAGIC_QUOTES_GPC') && define('MAGIC_QUOTES_GPC', get_magic_quotes_gpc());if(!MAGIC_QUOTES_GPC || $force) {if(is_array($string)) {foreach($string as $key => $val) {$string[$key] = daddslashes($val, $force);}} else {$string = addslashes($string);}}return $string;}...foreach(array('_COOKIE', '_POST', '_GET') as $_request) {foreach($$_request as $_key => $_value) {$_key{0} != '_' && $$_key = daddslashes($_value);}}echo $xigr['hi'];// echo \

The above code originally expected to get an array variable $ xigr ['hi'] After the daddslashes () security processing, but did not strictly define the type of the variable $ xigr, when we submit a string variable $ xigr = 'ryat and convert it to \ 'ryat after the above processing, \ will be output at the end of $ xigr ['hi \, if this variable is introduced into an SQL statement, it will cause serious security problems. let's take a look at the following code snippet:

...if($xigr) {foreach($xigr as $k => $v) {$uids[] = $v['uid'];}$query = $db->query("SELECT uid FROM users WHERE uid IN ('".implode("','", $uids)."')");

By submitting foo. php? Xigr [] = '& xigr [] [uid] = evilcode can easily break through GPC or similar security processing to form an SQL injection vulnerability! Pay enough attention to this!

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.