Home > Article > Backend Development > Analysis of the impact of magic_quotes_gpc on unserialize in PHP, magicquotesgpc_PHP tutorial
Analysis of the impact of magic_quotes_gpc on unserialize in PHP, magicquotesgpc_PHP tutorial
- WBOYOriginal
- 2016-07-13 10:11:40922browse
Analysis of the impact of magic_quotes_gpc on unserialize in php, magicquotesgpc
This article analyzes the impact of magic_quotes_gpc on unserialize in PHP. Share it with everyone for your reference. The details are as follows:
magic_quotes_gpc is a function in PHP that adds some security filtering to single and double quotes. However, this function will have some impact on when we use the unserialize function. Let's look at some examples and solutions to this problem.
Yesterday, my friend asked me to help him solve the problem of the shopping cart program on his website. The program uses PHPCMS. It was fine before changing the space. The specific problem is that after successfully adding the shopping cart, it will jump to Shopping cart page, the shopping cart is empty.
I looked at the code. The general principle is to store the product ID and quantity in an array, then serialize it and store it in the COOKIE. Deserialize the COOKIE on the shopping cart page, get this array and read out the corresponding product information. .
After debugging, I found that the problem occurred in unserialize. I first wrote a piece of code based on its shopping cart principle. The code is as follows:
$magic = get_magic_quotes_gpc() ? "On" : "Not on";
$str = array(array('goods_id'=>13,'number'=>1));
setcookie("cart", serialize($str));
echo "magic_quotes_gpc: ".$magic."
";
echo $_COOKIE['cart']."
";
Print_r(unserialize($_COOKIE['cart']));
?>
If you execute this code, you will find that when your magic_quotes_gpc is turned off, this program executes without any problems, but when magic_quotes_gpc is turned on, you will find that the deserialization is not successful. At this time, you may know where the problem lies?
The reason is that when magic_quotes_gpc is turned on, the system will automatically escape and add the single quotes in the result of POST GET COOKIE, so the value of $_COOKIE['cart'] becomes a:1:{i: 0;a:2:{s:8:"goods_id";i:13;s:6:"number";i:1;}}, in this case, unserialize cannot successfully deserialize, and a problem occurs.
The solution is simply to change unserialize($_COOKIE['cart']) to unserialize(stripslashes($_COOKIE['cart'])), add stripslashes before COOKIE, and remove the escape character, so It’ll be no problem.
Let’s do another test on the impact of cookies:
1. Problem: The project data needs to be serialized and stored in a cookie, and then the cookie data is deserialized to obtain the original data. The code is as follows:
$a[1] = array("key"=>"Haru");
$jsona = json_encode($a);
setcookie("testcookie","");
setcookie("testcookie",$jsona);
var_dump($jsona,true); //Normal value
var_dump(json_decode($_COOKIE['testcookie'],true)); //Cannot get value
When there is no cookie assignment, deserialize normally. After passing the cookie, the value obtained is empty.
2. Analysis, The code is as follows:
$a[1] = array("key"=>"Haru");
$jsona = json_encode($a);
var_dump($jsona); //string(50) "[{"key":"u54c8 u903b"},{"key":"u54c8 u903b"}]"
setcookie("testcookie","");
setcookie("testcookie",$jsona);
var_dump($_COOKIE['testcookie']); // string(62) "[{"key":"\u54c8 \u903b"},{"key":"\u54c8 \u903b"}]"
var_dump(json_decode($_COOKIE['testcookie'],true));
After comparing the data, there are a few more // after cookie processing. The solution is as follows:
var_dump(json_decode(str_replace("\","",$_COOKIE['testcookie']),true));
3. Summary:When magic_quotes_gpc is turned on, it will affect the data obtained through get|post|cookies. So when we process data in get|post|cookies, we first determine whether magic_quotes_gpc is turned on.
① When enabled, stripslashes are required to process data
② When it is not enabled, accept data first addslashes and process data stripslashes
I hope this article will be helpful to everyone’s PHP programming design.