Impact analysis of magic_quotes_gpc on unserialize in php _ php skills

This article mainly introduces the impact of magic_quotes_gpc on unserialize in php. it analyzes the impact of magic_quotes_gpc security filtering on unserialize and its solution in the form of examples, which is of great practical value, for more information about how magic_quotes_gpc affects unserialize in php, see the example below. Share it with you for your reference. The details are as follows:

Magic_quotes_gpc is a php function that adds some security filters to single double quotes. However, this function has some impact on our use of the unserialize function, next, let's take a look at several examples and solutions for this problem.

Yesterday, my friend asked me to help him solve the problem of the shopping cart program on his website. The program uses PHPCMS. it was good before changing the space. I just changed the space, the specific problem is that the system prompts that the shopping cart is successfully added to the shopping cart page, and the shopping cart is empty.

After reading the code, the general principle is to store the product ID and quantity in the array, serialize it, store it in the COOKIE, and deserialize the COOKIE on the shopping cart page, obtain the array and read the corresponding product information.

After debugging, the problem occurs on unserialize. I first wrote a code segment based on its shopping cart principle. the code is as follows:

The code is as follows:

<? Php
Header ("Content-type: text/html; charset = utf-8 ");
$ Magic = get_magic_quotes_gpc ()? "Enabled": "disabled ";

$ Str = array ('goods _ id' => 13, 'number' => 1 ));
Setcookie ("cart", serialize ($ str ));
Echo "magic_quotes_gpc:". $ magic ."
";
Echo $ _ COOKIE ['cart']."
";
Print_r (unserialize ($ _ COOKIE ['cart']);
?>

You can run this code to find that when your magic_quotes_gpc is closed, the program runs normally. However, when magic_quotes_gpc is enabled, you will find that deserialization is not successful, then you may know where the problem is?

The reason is that when magic_quotes_gpc is enabled, the system will automatically escape the single quotes in the result of the post get cookie, and add \, so the value of $ _ COOKIE ['cart'] becomes: 1: {I: 0; a: 2: {s: 8: \ "goods_id \"; I: 13; s: 6: \ "number \"; I: 1;}. in this case, unserialize cannot be deserialized successfully, and a problem occurs.

The solution is simply to change unserialize ($ _ COOKIE ['cart']) to unserialize (stripslashes ($ _ COOKIE ['cart']), and add stripslashes before the COOKIE, remove the escape character.

Test the cookie impact:

1. problem:Project data must be serialized and stored in the cookie, and then the reverse sequence of the cookie data is obtained to obtain the original data. the code is as follows:

The code is as follows:

$ A [0] = array ("key" => "haha ");
$ A [1] = array ("key" => "haha ");
$ Jsona = json_encode ($ );
Setcookie ("testcookie ","");
Setcookie ("testcookie", $ jsona );
Var_dump ($ jsona, true); // normal value
Var_dump (json_decode ($ _ COOKIE ['testcookie '], true); // The value cannot be obtained.

If no value is assigned by the cookie, the deserialization is normal. after the cookie is passed, the obtained value is null.

2. analysis,The code is as follows:

The code is as follows:

$ A [0] = array ("key" => "haha ");
$ A [1] = array ("key" => "haha ");
$ Jsona = json_encode ($ );
Var_dump ($ jsona); // string (50) "[{" key ":" \ u54c8 \ u903b "},{" key ": "\ u54c8 \ u903b"}]"
Setcookie ("testcookie ","");
Setcookie ("testcookie", $ jsona );
Var_dump ($ _ COOKIE ['testcooker']); // string (62) "[{\" key \ ": \" \ u54c8 \ u903b \"}, {\ "key \": \ "\ u54c8 \ u903b \"}]"
Var_dump (json_decode ($ _ COOKIE ['testcookie '], true ));

After comparing the data and processing the cookie, the code is as follows:

The code is as follows:

Var_dump (json_decode (stripslashes ($ _ COOKIE ['testcookie ']), true ));
Var_dump (json_decode (str_replace ("\", "", $ _ COOKIE ['testcookie ']), true ));

3. Summary:When magic_quotes_gpc is enabled, it will affect the data obtained through get | post | cookies. Therefore, when we get | post | cookies are used to process data, we first determine whether magic_quotes_gpc is enabled.

① When it is enabled, stripslashes is required to process data.

② If it is not enabled, accept the data first addslashes and process the data stripslashes

I hope this article will help you with PHP programming.