Home >Backend Development >PHP Tutorial >Analysis of security issues caused by PHP magic quotes, magic quotes_PHP tutorial
PHP will cause certain security issues by extracting the "" character generated by magic quotes, such as the following code snippet:
// foo.php?xigr='ryat function daddslashes($string, $force = 0) { !defined('MAGIC_QUOTES_GPC') && define('MAGIC_QUOTES_GPC', get_magic_quotes_gpc()); if(!MAGIC_QUOTES_GPC || $force) { if(is_array($string)) { foreach($string as $key => $val) { $string[$key] = daddslashes($val, $force); } } else { $string = addslashes($string); } } return $string; } ... foreach(array('_COOKIE', '_POST', '_GET') as $_request) { foreach($$_request as $_key => $_value) { $_key{0} != '_' && $$_key = daddslashes($_value); } } echo $xigr['hi']; // echo \
The above code originally expected to get an array variable $xigr['hi'] that has been safely processed by daddslashes(), but there is no strict type specification for the variable $xigr. When we submit a string variable $xigr= 'ryat, after the above processing, becomes 'ryat, and finally $xigr['hi'] will be output. If this variable is introduced into the SQL statement, it will cause serious security problems. Let's look at the following code. Snippet:
... if($xigr) { foreach($xigr as $k => $v) { $uids[] = $v['uid']; } $query = $db->query("SELECT uid FROM users WHERE uid IN ('".implode("','", $uids)."')");
Using the idea mentioned above, by submitting a structural form such as foo.php?xigr[]='&xigr[][uid]=evilcode, you can easily break through GPC or similar security processing and form a SQL injection vulnerability! Sufficient attention should be paid to this!
Thank you, I basically understand it. The function of this function should be: if the magic quotation mark function is turned on, remove the backslash added by it, and then use addslashes() or mysql_real_escape_string() to handle it according to the situation.
I want to make sure that the value you passed is added with "/". If it is "/", you can try to replace "/" with nothing in the Action.
In the past, the value I passed was added with "\", so I used stripslashes($_POST['ck']) to do it.