Impact of magic_quotes_gpc on unserialize in php

Yesterday, my friend asked me to help him solve the problem of the shopping cart program on his website. The program uses PHPCMS, which is good before changing the space (just changed the space ), the specific problem is that a prompt is displayed after the shopping cart is successfully Added. The shopping cart is empty.

After reading the code, the general principle is to store the product ID and quantity in the array, serialize it, store it in the COOKIE, and deserialize the COOKIE on the shopping cart page, obtain the array and read the corresponding product information.

The problem found during debugging occurs on unserialize.

I first wrote a code segment based on its shopping cart principle:

 

The code is as follows:	Copy code
<? Php Header ("Content-type: text/html; charset = utf-8 "); $ Magic = get_magic_quotes_gpc ()? "Enabled": "disabled ";       $ Str = array ('goods _ id' => 13, 'number' => 1 )); Setcookie ("cart", serialize ($ str )); Echo "magic_quotes_gpc:". $ magic. "<br> "; Echo $ _ COOKIE ['cart']. "<br> "; Print_r (unserialize ($ _ COOKIE ['cart']); ?>

After executing this code, you can find that when your magic_quotes_gpc is closed, the program runs normally. However, when magic_quotes_gpc is enabled, you will find that deserialization is not successful. Then you may know where the problem is?

The reason is that when magic_quotes_gpc is enabled, the system will automatically escape the single quotes in the result of the post get cookie, and add \, so the value of $ _ COOKIE ['cart'] becomes: 1: {I: 0; a: 2: {s: 8: \ "goods_id \"; I: 13; s: 6: \ "number \"; I: 1;}. In this case, unserialize cannot be deserialized successfully, and a problem occurs.

The solution is simply to change unserialize ($ _ COOKIE ['cart']) to unserialize (stripslashes ($ _ COOKIE ['cart']), and add stripslashes before the COOKIE, remove the escape character. So there is no problem.

Test the cookie impact.

1. Problem: Project data needs to be serialized and stored in the cookie, and then the reverse sequence of the cookie data is obtained to obtain the original data.

The code is as follows:	Copy code
$ A [0] = array ("key" => "haha "); $ A [1] = array ("key" => "haha "); $ Jsona = json_encode ($ ); Setcookie ("testcookie", ""); // www.111cn.net Setcookie ("testcookie", $ jsona ); Var_dump ($ jsona, true); // normal value Var_dump (json_decode ($ _ COOKIE ['testcookie '], true); // The value cannot be obtained.

If no value is assigned by the cookie, deserialization is normal. The value obtained after the cookie is passed is null.

2. Analysis:

 

The code is as follows:

Copy code

$ A [0] = array ("key" => "haha "); $ A [1] = array ("key" => "haha "); $ Jsona = json_encode ($ ); Var_dump ($ jsona); // string (50) "[{" key ":" \ u54c8 \ u903b "},{" key ": "\ u54c8 \ u903b"}]" Setcookie ("testcookie ",""); Setcookie ("testcookie", $ jsona ); Var_dump ($ _ COOKIE ['testcooker']); // string (62) "[{\" key \ ": \" \ u54c8 \ u903b \"}, {\ "key \": \ "\ u54c8 \ u903b \"}]" Var_dump (json_decode ($ _ COOKIE ['testcookie '], true ));

After comparing the data, a few more cookies are processed //

Solution:

The code is as follows:	Copy code
Var_dump (json_decode (stripslashes ($ _ COOKIE ['testcookie ']), true )); Var_dump (json_decode (str_replace ("\", "", $ _ COOKIE ['testcookie ']), true ));

Conclusion: when magic_quotes_gpc is enabled, the data obtained through get | post | cookies will be affected. Therefore, when we get | post | cookies process data,
First, judge whether magic_quotes_gpc is enabled.
1> when it is enabled, stripslashes is required to process data.
2> accept data first addslashes and process data stripslashes if it is not enabled