Analysis on the security principle of using addslashes function escape in PHP, and addslashes escape

Source: Internet
Author: User

Analysis on the security principle of using addslashes function escape in PHP, and addslashes escape

This article describes the security principle of using addslashes function escape in PHP. Share it with you for your reference. The specific analysis is as follows:

Let's take a look at the prototype of addslashes_deep in ECshop.

Copy codeThe Code is as follows: function addslashes_deep ($ value ){
If (empty ($ value )){
Return $ value; // if it is null, return directly;
} Else {
Return is_array ($ value )? Array_map ('addslashes _ deep ', $ value): addslashes ($ value );
} // Recursively process the array until all array elements are traversed;
}
The addslashes_deep function is no problem, but you must pay attention to it when using it.
Today, we also saw a BUG injection vulnerability on the Internet about using this function.
When this function references the callback function addslashes, only the data values are escaped. Therefore, if the user references the array key for specific processing during this process, there is a risk of $ key injection, in this case, you can change the addslashes_deep function to escape the key value at the same time, or explicitly do not reference the key content during use.

I hope this article will help you with PHP programming.


Use of the addslashes () function in php

Addslashes -- use a backslash to reference a string

String addslashes (string str)

Returns a string that requires a backslash before certain characters for database query statements. These characters are single quotation marks ('), double quotation marks ("), backslash (\), and NUL (NULL ).

An example of using addslashes () is when you want to input data into the database. For example, insert the name 'Reilly into the database, which requires escaping. Most databases use \ as the Escape Character: O \ 'Reilly. In this way, the data can be put into the database without inserting additional \. When the PHP Command magic_quotes_sybase is set to on, it means that when 'is inserted,' is used for escape.

By default, the PHP Command magic_quotes_gpc is on, which automatically runs addslashes () on all GET, POST, and COOKIE data (). Do not use addslashes () for strings that have been escaped by magic_quotes_gpc, because this causes double-layer escape. In this case, you can use the get_magic_quotes_gpc () function for detection.

Addslashes cannot be raised normally after escaping. How can this problem be solved?

Check whether it is necessary to reference a string escaped by addcslashes. The stripcslashes function can be used to unbind the string.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.