Php. inimagic_quotes_gpc configure the anti-injection method (15 ). Php Tutorial. inimagic_quotes_gpc configuration anti-injection method 1. php configuration file php. the magic_quotes_gpc option in ini is not enabled and is set to off2. the developer does not check the data type. php Tutorial. ini magic_quotes_gpc configuration anti-injection method
1. the magic_quotes_gpc option in the php configuration file php. ini is disabled.
2. the developer does not check and escape the data type.
But in fact, the second point is the most important. In my opinion, it should be the most basic quality for a web programmer to check the data types entered by users and submit the correct data types to the mysql tutorial. But in reality, many small web developers often forget this, leading to a wide open backdoor.
Why is the second most important? Without the second guarantee, the magic_quotes_gpc option may cause SQL injection attacks, whether on or off. The following describes the technical implementation:
1. injection attack when magic_quotes_gpc = off
Magic_quotes_gpc = off is a very insecure option in php. The new php version has changed the default value to on. However, there are still a considerable number of server options that are off. After all, some old servers are also used.
When magic_quotes_gpc = on, it automatically adds all '(single quotes), "(double sign), (backslash), and white space characters in the submitted variables to the front. The official instructions for php are as follows:
The code is as follows:
Magic_quotes_gpc boolean
Sets the magic_quotes state for gpc (get/post/cookie) operations. when magic_quotes are on, all' (single-quote), "(double quote), (backslash) and nul's are escaped with a backslash automatically
If there is no escape, that is, off, attackers can take advantage of it. The following test script is used as an example:
The code is as follows:
If (isset ($ _ post ["f_login"])
{
// Database connection tutorial...
//... Code omitted...
// Check whether the user exists
$ T_struname = $ _ post ["f_uname"];
$ T_strpwd = $ _ post ["f_pwd"];
$ T_strsql = "select * from tbl_users where username = '$ t_struname' and password = '$ t_strpwd' limit ";
If ($ t_hres = mysql_query ($ t_strsql ))
{
// Processing after successful query...
}
}
?>
Sample test
1 2 3 4 5
Magic_quotes_gpc configuration anti-injection method 1. the magic_quotes_gpc option in the php configuration file php. ini is not enabled and is set to off 2. the developer does not check the data type...