开发者

PHP Magic Quotes quick fix

问答 作者:

My Magic_Quotes has always been on and only today I've seen it's becoming depriciated. If I ha开发者_开发百科ve it off could I just escape all user input (whether it's being used in my database or not). I definitely can't go back and rewrite all my database queries to use mysql_real_escape_string().

Could I just loop through all my $_GET, $_POST and $_SESSION and apply mysql_real_escape_string() ?

mysql_real_escape_string and magic_quotes_gpc are two different things. Magic quotes does not render your input safe enough for SQL queries.

Whether you like it or not, you should convert all your database queries to use a proper escaping mechanism, or you otherwise leave your application open to security issues like SQL injection.

You can't really apply mysql_real_escape_string directly on $_GET, $_POST, etc. because it might mess up your input data if you need it for anything else than SQL (like form validation and such).

Turn it off. The pain of recoding by hand, case by case, pales compared to the agony of being hacked.

See here click

This is the method I use. If you are using case method switch, simply connect the index.php file. second method, you need to add to each page.

  1. index.php?page=home
  2. index.php?page=two ...

SECOND METHOD ADD CODE PER PAGE

  1. index.php
  2. contact.php
  3. product.php ....

Recommended : simple page query case / switch

// Magic Quotes Fix
if (ini_get('magic_quotes_gpc')) {
    function clean($data) {
        if (is_array($data)) {
            foreach ($data as $key => $value) {
                $data[clean($key)] = clean($value);
            }
        } else {
            $data = stripslashes($data);
        }

        return $data;
    }           

    $_GET = clean($_GET);
    $_POST = clean($_POST);
    $_REQUEST = clean($_REQUEST);
    $_COOKIE = clean($_COOKIE);
}

Yes, you can, but don't forget that you can also send arrays via GPC. ?var[1]=data. It should be noted that magic_quotes_gpc was removed for a damn good reason and I bet many beers that your application is highly vulnerable to sql injection. 

if (!get_magic_quotes_gpc()) {
    function my_escape(&$value, $key) {$value = mysql_real_escape_string($value);}
    $gpc = array(&$_GET, &$_POST, &$_COOKIE, &$_REQUEST);
    array_walk_recursive($gpc, 'my_escape');
}

继续阅读:phpsecuritysql-injection

更多精彩内容

0

上一篇:

下一篇:

精彩评论

暂无评论...
登录 注册
Qedev.com
验证码 换一张
取 消

最新问答

问答排行榜

法律声明:本站内容均为网友上传,网站举办方负责审核和监督,

如存在版权或非法内容,欢迎举报,我们将尽快予以删除。

Copyright © 2018-2020 开发者. All rights reserved.

Powered by 开发者

ICP备案号: 京ICP备10032868号-9