Security principle analysis using addslashes function escape in PHP, addslashes escape _php Tutorial

Source: Internet
Author: User

Security principle analysis using addslashes function escaping in PHP, Addslashes escaping


This paper describes the security principle analysis of PHP using Addslashes function escaping. Share to everyone for your reference. The specific analysis is as follows:

First look at the prototype of Addslashes_deep in Ecshop.

Copy the Code code as follows: function Addslashes_deep ($value) {
if (empty ($value)) {
return $value; If it is empty, return directly;
} else {
Return Is_array ($value)? Array_map (' Addslashes_deep ', $value): Addslashes ($value);
}//recursively manipulate arrays until all array elements are traversed;
}
There is no problem with the Addslashes_deep function itself, but be careful when using it
It just happened to be on the internet today. Someone sent a bug injection vulnerability using this function
This function, when referencing the callback function addslashes, escapes only the value of the data, so if a consumer references an array's key for specific processing in this procedure, there is a risk of $key injection, at which point the Addslashes_deep function can be changed to escape the key value at the same time. or explicitly not referencing key content when used.

I hope this article is helpful to everyone's PHP programming.


The purpose of the addslashes () function in PHP

Addslashes--use a backslash to reference a string

String addslashes (String str)

Returns a string that is preceded by a backslash in order for the database query statement to be preceded by some characters. These characters are single quotes ('), double quotation marks ("), backslashes (\), and NUL (the NULL character).

An example of using addslashes () is when you want to enter data into the database. For example, the name O ' Reilly is inserted into the database, which needs to be escaped. Most databases use \ as escape character: O\ ' Reilly. This allows the data to be placed in the database without inserting additional \. When PHP instruction Magic_quotes_sybase is set to ON, it means that the insert ' will be used ' to escape.

By default, PHP instruction MAGIC_QUOTES_GPC is on, and it is primarily for all GET, POST, and COOKIE data automatically run Addslashes (). Do not use Addslashes () for strings that have been MAGIC_QUOTES_GPC escaped, because this results in double-layer escaping. You can use the function GET_MAGIC_QUOTES_GPC () to detect this situation.

Addslashes escape and not be able to raise the normal, what do I put forward with the escape can not be mentioned

See if you need to dereference a string that is escaped with addcslashes, and use the stripcslashes function to unlock

http://www.bkjia.com/PHPjc/904929.html www.bkjia.com true http://www.bkjia.com/PHPjc/904929.html techarticle the security principle analysis using addslashes function escaping in PHP, Addslashes escaping this article describes the security principle analysis using addslashes function escaping in PHP. Share to everyone ...

  • Contact Us

    The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

    If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

    A Free Trial That Lets You Build Big!

    Start building with 50+ products and up to 12 months usage for Elastic Compute Service

    • Sales Support

      1 on 1 presale consultation

    • After-Sales Support

      24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.