我完全意识到 PHP 中 Magic Quotes 的异常,它是如何邪恶的,我像害虫一样避免它们,但是 magic_quotes_runtime 是什么?来自 php.ini:
运行时生成的魔术引号
数据,例如来自 SQL、来自 exec() 的数据,
等等
我应该检查是否打开并关闭:
set_magic_quotes_runtime(false);
默认情况下它经常打开吗 我知道它在 5.3.0 中已被弃用,并在 6.0.0 中被删除,但由于我的脚本支持 5.1.0+,我想知道如何在“旧版”PHP 中处理此问题(如果相关)。
编辑:为了清楚起见,我想退出('关闭魔术引号');当魔法报价开启时。我不依赖他们!
I'm totally aware of the aberration of Magic Quotes in PHP, how it is evil and I avoid them like pest, but what are magic_quotes_runtime? From php.ini:
Magic quotes for runtime-generated
data, e.g. data from SQL, from exec(),
etc.
Is is something I should check if ON and turn OFF with:
set_magic_quotes_runtime(false);
Is it often ON by default? I know it's deprecated in 5.3.0 and removed in 6.0.0 but since my script support 5.1.0+ I would like to know how to handle this in "legacy" PHP (if it's relevant).
Edit: To make things clear I want to exit('Turn OFF Magic Quotes'); when Magic quotes are ON. I'm not relying on them!
发布评论
评论(3)
http://www.php.net/manual /en/info.configuration.php#ini.magic-quotes-runtime
http://www.php.net/manual/en/info.configuration.php#ini.magic-quotes-runtime
您可以使用 ini_get 来检查它的值,如下所示:
另外,您应该在 function_exists 调用中包装对 set_magic_quotes_runtime/get_magic_quotes_runtime 的调用,如下所示:
但是,当然,人们根本不应该依赖魔术引号,并且如果可能的话应该禁用它们。请参阅此链接以了解原因: Archive.org:http://www.php.net/manual/en/security.magicquotes.whynot.php
You could use ini_get to check for it's value, like this:
Also you should wrap calls to set_magic_quotes_runtime/get_magic_quotes_runtime in function_exists calls, like that:
But of course, one should not rely on magic quotes at all and should have them disabled if possible. Se this link for a coule of reasons why: Archive.org: http://www.php.net/manual/en/security.magicquotes.whynot.php
如果魔术引号打开,php 将自动转义 POST 或 GET 变量中的引号,并在从数据库中提取数据时自动取消转义它们。
如果你使用诸如addslashes()、mysql_escape_string()或mysql_real_escape_string()之类的东西并加上魔术引号,你最终会得到双转义引号。
它邪恶的原因与addslashes() 和mysql_escape_string() 邪恶的原因相同——因为它没有捕获在字符串中放入引号的所有可能方法。它给你一种错误的安全感,让你认为你不必再担心转义引号,而实际上你仍然这样做。
另外,好像转义字符串还不足以满足 PITA 的要求,现在您必须在尝试转义或取消转义字符串之前检查魔术引号是否打开或关闭,以避免双重转义。
If magic quotes are ON, php will automatically escape quotes coming in POST or GET variables and automatically un-escape them when pulling data out of a database for example.
If you use things like addslashes(), mysql_escape_string() or mysql_real_escape_string() with magic quotes on, you'll end up double-escaping quotes.
The reason it's evil is the same reason addslashes() and mysql_escape_string() are evil - because it doesn't capture every possible method of putting a quote in a string. It gives you a false sense of security in thinking that you don't have to worry about escaping quotes anymore when in reality you still do.
Also, as if escaping strings wasn't enough of a PITA already, now you have to check if magic quotes are on or off before you try to escape or un-escape a string to avoid double escaping.