Impact of magic_quotes_gpc on unserialize in php

Magic_quotes_gpc is a php function that adds some security filters to single double quotes. However, this function has some impact on my use of the unserialize function, next I will share with you several examples and solutions to this problem.... magic_quotes_gpc is a php function that adds some security filters to single double quotes. However, this function has some impact on my use of the unserialize function, next I will share with you several examples and solutions to this problem.

Yesterday, my friend asked me to help him solve the problem of the shopping cart program on his website. The program uses PHPCMS. it was good before changing the space. I just changed the space, the specific problem is that the system prompts that the shopping cart is successfully added to the shopping cart page, and the shopping cart is empty.

After reading the code, the general principle is to store the product ID and quantity in the array, serialize it, store it in the COOKIE, and deserialize the COOKIE on the shopping cart page, obtain the array and read the corresponding product information.

After debugging, the problem occurs on unserialize. I first wrote a code segment based on its shopping cart principle. the code is as follows:

 13, 'number' => 1); setcookie ("cart", serialize ($ str); echo "magic_quotes_gpc:". $ magic ."
"; Echo $ _ COOKIE ['cart']."
"; Print_r (unserialize ($ _ COOKIE ['cart']);?>

You can run this code to find that when your magic_quotes_gpc is closed, the program runs normally. However, when magic_quotes_gpc is enabled, you will find that deserialization is not successful, then you may know where the problem is?

The reason is that when magic_quotes_gpc is enabled, the system will automatically escape the single quotes in the result of the post get cookie, and add \, so the value of $ _ COOKIE ['cart'] becomes: 1: {I: 0; a: 2: {s: 8: \ "goods_id \"; I: 13; s: 6: \ "number \"; I: 1;}. in this case, unserialize cannot be deserialized successfully, and a problem occurs.

The solution is simply to change unserialize ($ _ COOKIE ['cart']) to unserialize (stripslashes ($ _ COOKIE ['cart']), and add stripslashes before the COOKIE, remove the escape character.

Test the cookie impact:

1. problem: Project data needs to be serialized and stored in the cookie, and then the reverse sequence of the cookie data is obtained to obtain the original data. the code is as follows:

$ A [0] = array ("key" => ""); $ a [1] = array ("key" => ""); $ jsona = json_encode ($ a); setcookie ("testcookie", ""); setcookie ("testcookie", $ jsona); var_dump ($ jsona, true ); // the normal value is var_dump (json_decode ($ _ COOKIE ['testcookie '], true); // The value cannot be obtained.

If no value is assigned by the cookie, the deserialization is normal. after the cookie is passed, the obtained value is null.

2. analyze the code as follows:

$ A [0] = array ("key" => ""); $ a [1] = array ("key" => ""); $ jsona = json_encode ($ a); var_dump ($ jsona); // string (50) "[{" key ":" \ u54c8 \ u903b "}, {"key": "\ u54c8 \ u903b"}] "setcookie (" testcookie "," "); setcookie (" testcookie ", $ jsona ); var_dump ($ _ COOKIE ['testcooker']); // string (62) "[{\" key \ ": \" \ u54c8 \ u903b \"}, {\ "key \": \ "\ u54c8 \ u903b \"}] "var_dump (json_decode ($ _ COOKIE ['testcookie '], true ));

After comparing the data and processing the cookie, the code is as follows:

var_dump(json_decode(stripslashes($_COOKIE['testcookie']),true));   var_dump(json_decode(str_replace("\\","",$_COOKIE['testcookie']),true));

Conclusion: when magic_quotes_gpc is enabled, it will affect the data obtained through get | post | cookies. Therefore, when we get | post | cookies are used to process data, we first determine whether magic_quotes_gpc is enabled.

1> when it is enabled, stripslashes is required to process data.

2> accept data first addslashes and process data stripslashes if it is not enabled