Write PHP apps that are not affected by magic quotes

Source: Internet
Author: User

Original works author Water Mengchun, reproduced please specify the source lib.cublog.cn

Read the premise: you must read the " Part IV Security" chapter "10th Magic Quotes" in the PHP manual. If you haven't seen it, it's no problem, now take 10 minutes to read this in the PHP manual first.

魔术引号(Magic Quote)是一个自动将进入 PHP 脚本的数据进行转义的过程

你可能想让你的程序兼容多个数据库,但你使用的不同的数据库可能使用不同的转义符,而我们的程序又有可能运行在不同的php.ini配置的主机上,关于magic_quotes的配置又可能不一样,所以编写不受魔术引号影响的php应用是高兼容性的php应用所必须的。

php.ini中有三个魔术引号配置选项:

Magic Quotes configuration Options Describe Run-time change The default value in PHP is
Magic_quotes_gpc If opened, it affects HTTP request data (Get,post and cookies). No On
Magic_quotes_runtime If open, most of the functions that get data from external sources and return the data, including from the database and text files, are escaped by backslashes. (If MAGIC_QUOTES_GPC = ON) Yes Off
Magic_quotes_sybase

When closed, all ' (single quotes), "(double quotes),/(backslashes), and NULL characters are automatically added with a backslash to escape. This is exactly the same as the addslashes () function.
If turned on, single quotes are escaped using single quotes instead of backslashes. This option will completely overwrite the MAGIC_QUOTES_GPC. If you open two options at the same time, the single quotes will be escaped to '. Double quotes, backslashes, and NULL characters are not escaped.
(If MAGIC_QUOTES_GPC = ON)

Yes Off

    但是要处理外部传来的全局变量就比较麻烦了。

要 处理外部超级变量,我们要看magic_quotes_gpc是否已经打开(如果magic_quotes_gpc没打开,而 magic_quotes_sybase打开,magic_quotes_sybase也不起作用),还要看magic_quotes_sybase是否 打开,再看我们的程序需要对外部变量用addslashes转义方式还是使用magic_quotes_sybase式的转义方式。下面的代码是一个具体 的实现。

    有人可能说,当magic_quotes_gpc设成On,而magic_quotes_sybase设成Off,那么直接用 ini_set(‘magic_quotes_sybase‘, 1);就能让系统用‘来对addslashes式的转义进行覆盖。这样是不行的。你用ini_get(‘magic_quotes_sybase‘)输出 看下配置,magic_quotes_sybase的确被改变了,但是你的代码就是不能用‘转义符覆盖addslashes式的自动转义。这是因为系统获 取外部变量的时候,是在你的ini_set(‘magic_quotes_sybase‘, 1);之前完成的。

<? PHP
/**
 * troubleshoot PHP applications that are not affected by Magic_quotes
 *
 * uses this approach to configure whether to use Magic_quotes_sybase to accommodate different DBMS
 *
 * Setup methods:
 * $ usequotessybase[database name] = 1;
 *: Using SQLite, define and initialize the $useQuotesSybase [' sqlite '] = 1;
 * If you use MySQL, you can define and initialize $useQuotesSybase [' sqlite '] = 0, or you can not define
 *
 * Config_db_dbms is a constant of the DBMS used, defined elsewhere. such as define (' Config_db_dbms ', ' MySQL ');
 *
 * @author pipelining Mengchun cmpan (at) qq.com
 * @link http://lib.cublog.cn
 * $date 2007.11.18
 */
error_reporting ( e_all ) ;
set_magic_quotes_runtime ( 0) ;
Define (' Config_db_dbms ', ' SQLite '); For testing

//Using the ' escape character ' database
$Usequotessybase = Array();
$Usequotessybase[' SQLite '] =1;
$Usequotessybase[' Sybase '] =1;

if(!Empty($_post)) $_post = Array_map(' Quotesoutervars ', $_post);
if(!Empty($_get)) $_get = Array_map(' Quotesoutervars ', $_get);
$_cookie = Array_map(' Quotesoutervars ', $_cookie);
$_request = Array_map(' Quotesoutervars ', $_request);

functionQuotesoutervars($var) {
if (Is_array($var)) {
return Array_map(' Quotesoutervars ',$var);
} Else {
if (GET_MAGIC_QUOTES_GPC()) {
if (isset($GLOBALS[' Usequotessybase '][Config_db_dbms]) && $GLOBALS[' Usequotessybase '][Config_db_dbms]) {
//Current need to ' as escape character '
If magic_quotes_sybase = Off, the system will addslashes the external variables, we'll have to stripslashes
//Otherwise the system automatically "replace",
if (!Ini_get(' Magic_quotes_sybase ')) {
$var = stripslashes($var);
$var = Str_replace("'", "'", $var);
}
} Else {
/ /Current need to/as escape character
//If magic_quotes_sybase = ON, we first replace ' ', and then addslashes
//Otherwise the system automatically quotes
if (Ini_get(' Magic_quotes_sybase ')) {
$var = Str_replace("'", "'", $var);
$var = addslashes($var);
}
}
} Else{
if (isset($GLOBALS[' Usequotessybase '][Config_db_dbms]) && $GLOBALS[' Usequotessybase '][Config_db_dbms]) {
$var = Str_replace("'", "'", $var);
} Else {
$var = addslashes($var);
}
}

        return Span style= "COLOR: #000000" > trim ( $ var ) ;
    }
}


    从上面的表我们可以看出,对于magic_quotes_runtime,我在程序中用 ini_set(‘magic_quotes_runtime‘, 0);就可以把它关掉,然后可以用自己的方法来处理来自数据库或文件的数据。


Write PHP apps that are not affected by magic quotes

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.