PHP 中的魔术引号
根据PHP手册,依次为了使代码更具可移植性,他们建议使用类似以下内容的方法来转义数据:
if (!get_magic_quotes_gpc()) {
$lastname = addslashes($_POST['lastname']);
} else {
$lastname = $_POST['lastname'];
}
我将执行其他验证检查,但是就转义数据而言,上述严格检查的安全性如何? 我还看到 PHP 6 中将废弃魔术引号。这将如何影响上面的代码? 我不想依赖数据库特定的转义函数,如 mysql_real_escape_string()。
According to the PHP manual, in order to make code more portable, they recommend using something like the following for escaping data:
if (!get_magic_quotes_gpc()) {
$lastname = addslashes($_POST['lastname']);
} else {
$lastname = $_POST['lastname'];
}
I have other validation checks that I will be performing, but how secure is the above strictly in terms of escaping data? I also saw that magic quotes will be deprecated in PHP 6. How will that affect the above code? I would prefer not to have to rely on a database-specific escaping function like mysql_real_escape_string().
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(12)
魔法引号本质上是被破坏的。 它们的目的是清理 PHP 脚本的输入,但如果不知道如何使用该输入,就不可能正确清理。 如果有的话,你最好检查是否启用了魔术引号,然后在 $_GET/$_POST/$_COOKIES/$_REQUEST 上调用 stripslashes() ,然后在你在某个地方使用它的地方清理你的变量。 例如,如果您在 URL 中使用它,则使用 urlencode();如果您将其打印回网页,则使用 htmlentities();如果您将其存储到数据库,则使用数据库驱动程序的转义函数。 请注意,这些输入数组可能包含子数组,因此您可能需要编写一个可以递归到子数组的函数来删除这些斜杠。
PHP 关于魔法引用的手册页同意:
Magic quotes are inherently broken. They were meant to sanitize input to the PHP script, but without knowing how that input will be used it's impossible to sanitize correctly. If anything, you're better off checking if magic quotes are enabled, then calling stripslashes() on $_GET/$_POST/$_COOKIES/$_REQUEST, and then sanitizing your variables at the point where you're using it somewhere. E.g. urlencode() if you're using it in a URL, htmlentities() if you're printing it back to a web page, or using your database driver's escaping function if you're storing it to a database. Note those input arrays could contain sub-arrays so you might need to write a function can recurse into the sub-arrays to strip those slashes too.
The PHP man page on magic quotes agrees:
魔术引号是一个设计错误。 它们的使用与保持你的理智不相容。
我更喜欢:
不要编写与固有损坏的设置兼容的代码。 相反,通过让您的代码FAIL FAST来防御它们的使用。
Magic quotes were a design error. Their use is incompatible with retainnig your sanity.
I prefer:
Don't write code for compatibility with inherently broken setups. Instead defend aginst their use by having your code FAIL FAST.
我在网站的头文件中使用以下代码来反转 magic_quotes 的效果:
然后我可以编写其余的代码,就好像 magic_quotes 从未存在过一样。
I use the following code in the header file of my website to reverse the effects of magic_quotes:
Then I can write the rest of my code as if magic_quotes never existed.
“我不想依赖像 mysql_real_escape_string() 这样的特定于数据库的转义函数”
然后使用类似 PDO 。 但无论如何你都必须扭转魔法引号造成的伤害。
"I would prefer not to have to rely on a database-specific escaping function like mysql_real_escape_string()"
Then use something like PDO. But you have to reverse the damage done by magic quotes anyway.
对您的代码提出 PHP 5.2 或更高版本的要求,并使用过滤器 API。
filter_*函数直接访问原始输入数据(它们不会接触$_POST等),因此它们完全不受magic_quotes_gpc的影响>。那么这个例子:
可以变成这样:
Put a requirement of PHP 5.2 or higher on your code and use the filter API. The
filter_*functions access the raw input data directly (they don't ever touch$_POSTetc.) so they're completely unaffected bymagic_quotes_gpc.Then this example:
Can become this:
是的,这不是最好的方法,也不是最安全的方法。 逃避最好与你逃避的目的相关。 如果要存储在 mysql 数据库中,请使用 mysql_real_escape_string ,它会考虑其他语言环境、字符集。 对于 HTML,html 实体。 对于在代码中使用,escapeshellcmd、escapeshellarg。 是的,如果启用了魔术引号,您可能需要先搅拌斜杠。 但最好不要指望它或使用它。
Right, it's not the best way to do it and not the most secure. Escaping is best done in relation to what you are escaping for. If it is to store in a mysql database, use mysql_real_escape_string which takes into account other locales, character sets. For HTML, htmlentities. For use in code, escapeshellcmd, escapeshellarg. Yes, you probably need to stirpslashes first if magic quotes is on. But best not to count on it or use it.
关于使用数据库特定的转义函数,您非常需要这样做。 我发现在 MySQL 中使用
addslashes()在极少数情况下会失败。 您可以编写一个转义函数来确定您正在使用哪个数据库,然后使用适当的转义函数。Regarding using a database specific escaping function, you pretty much need to. I have found just using
addslashes()to fail in rare cases with MySQL. You can write a function to escape which determines which DB you are using and then use the approriate escape function.你可以试试这个:
You may try this:
“我不想依赖像 mysql_real_escape_string() 这样的特定于数据库的转义函数”
另外,addslashes 也可以被欺骗,请查看这篇文章:
http://shiflett.org/blog/2006/jan/addslashes-versus-mysql-real-escape-string
"I would prefer not to have to rely on a database-specific escaping function like mysql_real_escape_string()"
Also addslashes can be tricked as well check out this post:
http://shiflett.org/blog/2006/jan/addslashes-versus-mysql-real-escape-string
您的示例代码是向后的,您应该执行以下操作:
请注意,这会使您的输入数据完全处于用户键入的“原始”状态 - 没有额外的反斜杠,并且可能加载 SQL 注入和 XSRF 攻击 - 这正是你要。 然后,确保始终使用以下其中一项:
回显到 HTML 中时,将其包装在htmlentities()mysql_real_escape_string()。echo到 JavaScript 代码中时,请使用json_encode()Joel Spolsky 在 让错误的代码看起来错误
Your sample code is backwards, you should be doing the following:
Note that this leaves your input data in a 'raw' state exactly as the user typed it - no extra backslashes and potentially loaded with SQL Injection and XSRF attacks - and that's exactly what you want. Then, you make sure you always use one of the following:
echoing the variable into HTML, wrap it inhtmlentities()mysql_real_escape_string()as a minimum.echoing the variable into Javascritpt code, usejson_encode()Joel Spolsky has some good starting advice in Making Wrong Code Look Wrong
刚刚在 PHP 手册页< /a>,看起来是一个非常聪明的剥离 em 的方法(处理键和值......):
Just found this over on the PHP manual pages, looks like a pretty clever way to strip em (deals with keys and values...):
PDO 和 Mysqli 是防止 SQL 注入的更好方法。
但是,如果您要迁移基于每个 SQL 查询的 Magic Quotes 的遗留代码,您可以参考 yidas/php-magic-quotes 用于在 PHP 5.4 以上版本的环境下实现 Magic Quotes。
Prepared statements of PDO and Mysqli are the better way to prevent SQL injection.
But if you are migrating a legacy code which is base on Magic Quotes for every SQL queries, you can refer yidas/php-magic-quotes for implementing Magic Quotes on the environment with PHP 5.4 above version.