在没有 php.ini 或 .htaccess 的情况下禁用 php 魔术引号的最佳方法

发布于 2024-11-23 18:48:13 字数 2771 浏览 3 评论 0原文

我需要编写可移植代码，该代码将在启用了 magic_qoutes_gpc 的共享服务器上运行，但我无法在 php.ini 或 .htaccess 中更改它。（服务器正在运行 php 5.2）

似乎有很多函数可以从所有 $_GET、$_POST 等超全局变量中剥离，但我不确定哪个是最好的。还有一些评论这里似乎说这些键也添加了斜杠也需要剥离。那么我应该使用 PHP 网站上的那个：

if (get_magic_quotes_gpc()) {
    $process = array(&$_GET, &$_POST, &$_COOKIE, &$_REQUEST);
    while (list($key, $val) = each($process)) {
        foreach ($val as $k => $v) {
             unset($process[$key][$k]);
            if (is_array($v)) {
                $process[$key][stripslashes($k)] = $v;
                $process[] = &$process[$key][stripslashes($k)];
            } else {
                $process[$key][stripslashes($k)] = stripslashes($v);
            }
        }
    }
    unset($process);
}

或者类似的东西：（来自这个答案： PHP - 更短的魔术引号解决方案）

function strip_slashes_recursive(&$value) {
    if (!is_array($value)) {
        $value = strip_slashes($value);
    } else {
        foreach (array_keys($value) as $key) {
            $arrayValue = strip_slashes_recursive($value[$key]);
            unset($value[$key]);
            $value[strip_slashes($key)] = $arrayValue;
        }
    }
}

foreach (array(&$_GET, &$_POST, &$_COOKIE, &$_REQUEST) as &$array) {
    strip_slashes_recursive($array);
}
// don't forget to unset references or it can lead to very nasty bugs
unset($array);

甚至是这样的：

if (get_magic_quotes_gpc()) {
    function undoMagicQuotes($array, $topLevel=true) {
        $newArray = array();
        foreach($array as $key => $value) {
            if (!$topLevel) {
                $key = stripslashes($key);
            }
            if (is_array($value)) {
                $newArray[$key] = undoMagicQuotes($value, false);
            }
            else {
                $newArray[$key] = stripslashes($value);
            }
        }
        return $newArray;
    }
    $_GET = undoMagicQuotes($_GET);
    $_POST = undoMagicQuotes($_POST);
    $_COOKIE = undoMagicQuotes($_COOKIE);
    $_REQUEST = undoMagicQuotes($_REQUEST);
}

有人可以解释每种方法和/或完全不同的方法的优点/缺点以及它们的彻底性以及它们是否从键中删除斜杠以及价值。

（这个方法还有什么好处：PHP：当魔术引号打开时如何（正确）删除数组中的转义引号）
（而且似乎所有这些方法都不完整，因为它们没有从所有受影响的超全局变量中删除斜杠哪些超全局变量受到 magic_quotes_gpc = 1 的影响？)

原文

I am needing to write portable code that will run on a shared server with magic_qoutes_gpc enabled and I am unable to change that in php.ini or .htaccess. (the server is running php 5.2)

It seems there are numerous functions to stripslaches from all of the $_GET, $_POST etc superglobals but I'm not sure which is the best. Also some comments here seem to say that the keys also have slashes added which need to be stripped as well. So should I use the one on the PHP website:

if (get_magic_quotes_gpc()) {
    $process = array(&$_GET, &$_POST, &$_COOKIE, &$_REQUEST);
    while (list($key, $val) = each($process)) {
        foreach ($val as $k => $v) {
             unset($process[$key][$k]);
            if (is_array($v)) {
                $process[$key][stripslashes($k)] = $v;
                $process[] = &$process[$key][stripslashes($k)];
            } else {
                $process[$key][stripslashes($k)] = stripslashes($v);
            }
        }
    }
    unset($process);
}

or something like this: (from this answer: PHP - Shorter Magic Quotes Solution)

function strip_slashes_recursive(&$value) {
    if (!is_array($value)) {
        $value = strip_slashes($value);
    } else {
        foreach (array_keys($value) as $key) {
            $arrayValue = strip_slashes_recursive($value[$key]);
            unset($value[$key]);
            $value[strip_slashes($key)] = $arrayValue;
        }
    }
}

foreach (array(&$_GET, &$_POST, &$_COOKIE, &$_REQUEST) as &$array) {
    strip_slashes_recursive($array);
}
// don't forget to unset references or it can lead to very nasty bugs
unset($array);

or even something like this:

if (get_magic_quotes_gpc()) {
    function undoMagicQuotes($array, $topLevel=true) {
        $newArray = array();
        foreach($array as $key => $value) {
            if (!$topLevel) {
                $key = stripslashes($key);
            }
            if (is_array($value)) {
                $newArray[$key] = undoMagicQuotes($value, false);
            }
            else {
                $newArray[$key] = stripslashes($value);
            }
        }
        return $newArray;
    }
    $_GET = undoMagicQuotes($_GET);
    $_POST = undoMagicQuotes($_POST);
    $_COOKIE = undoMagicQuotes($_COOKIE);
    $_REQUEST = undoMagicQuotes($_REQUEST);
}

Can someone explain the pros/cons of each approach and/or a totally different approach and how thorough they are and if they strip slashes from the key as well as the value.

(also is this method any good: PHP: how to (correctly) remove escaped quotes in arrays when Magic Quotes are ON)
(and also it seems like all of these methods are incomplete as they don't strip slashes from all the affected superglobals Which superglobals are affected by magic_quotes_gpc = 1?)

分享到QQ

分享到微博

如果你对这篇内容有疑问，欢迎到本站社区发帖提问参与讨论，获取更多帮助，或者扫码二维码加入 Web 技术交流群。

发布评论

需要登录才能够评论，你可以免费注册一个本站的账号。

梦途 2024-11-30 18:48:13

这是另一个主要来自 PHP：当魔术引号打开时，如何（正确）删除数组中的转义引号，但我自己进行了更改：

if(function_exists('get_magic_quotes_gpc') && get_magic_quotes_gpc()) {
    function unMagicQuotify($array) {
        $fixed = array();
        foreach ($array as $key=>$val) {
            if (is_array($val)) {
                $fixed[stripslashes($key)] = unMagicQuotify($val);
            } else {
                $fixed[stripslashes($key)] = stripslashes($val);
            }
        }
        return $fixed;
    }

    $_GET = unMagicQuotify($_GET);
    $_POST = unMagicQuotify($_POST);
    $_COOKIE = unMagicQuotify($_COOKIE);
    $_REQUEST = unMagicQuotify($_REQUEST);
    $_FILES = unMagicQuotify($_FILES);
}

Pro's

它们适用于数组和单个
变量key
不使用引用

Con's

可能会更改变量的顺序

请注意，包含 $_FILES 作为魔术引号也会影响它。
至于读取文件 (file_get_contents) 和/或使用 php://input 我无法判断魔术引号是否会影响它们，但是当您读取它们时，您必须 stripslashes() 并且无法执行此操作像这样的东西。我没能检查 $HTTP_RAW_POST_DATA 但默认情况下它没有填充，所以把它排除在外应该没问题。

Here's another one mostly from PHP: how to (correctly) remove escaped quotes in arrays when Magic Quotes are ON but with my own changes:

if(function_exists('get_magic_quotes_gpc') && get_magic_quotes_gpc()) {
    function unMagicQuotify($array) {
        $fixed = array();
        foreach ($array as $key=>$val) {
            if (is_array($val)) {
                $fixed[stripslashes($key)] = unMagicQuotify($val);
            } else {
                $fixed[stripslashes($key)] = stripslashes($val);
            }
        }
        return $fixed;
    }

    $_GET = unMagicQuotify($_GET);
    $_POST = unMagicQuotify($_POST);
    $_COOKIE = unMagicQuotify($_COOKIE);
    $_REQUEST = unMagicQuotify($_REQUEST);
    $_FILES = unMagicQuotify($_FILES);
}

Pro's

They work for both arrays and single variables
Does strip the key
Does not use references

Con's

May change the order of variables

Note the inclusion of $_FILES as magic quotes also affects it.
As for reading a file (file_get_contents) and/or using php://input I couldn't tell whether magic quotes affects them, but you would have to stripslashes() as and when you are reading them and would not be able to do something like this. I didn't manage to check $HTTP_RAW_POST_DATA but it isn't populated by default so things should be ok leaving it out.

回复收藏 0 原文

开始看清了 2024-11-30 18:48:13

您可以通过执行以下操作来摆脱斜杠：

$_REQUEST = array_map('stripslashes', $_REQUEST);

我认为它更容易并且使代码更小、更简洁。

我确信您知道使用魔术引号指令时可能会出现哪些问题（这里有一篇文章 http://www.sitepoint.com/magic-quotes-headaches/）。但在我看来，您最好将应用程序转移到另一个托管提供商，以防您当前的提供商无法关闭魔术引号。另外，使用过时版本的 PHP 也不是一个好主意。

You can get rid of slashes by performing this:

$_REQUEST = array_map('stripslashes', $_REQUEST);

I think it's easier and makes code smaller and more laconic.

I'm sure you know about what problems could appear while using the magic quotes directive (here is an article http://www.sitepoint.com/magic-quotes-headaches/). But IMO it's better for you to move your apps to another hosting provider in case that your current provider can't turn magic quotes off. Also, it's not very good idea to use an outdated version of PHP.

回复收藏 0 原文

漫漫岁月 2024-11-30 18:48:13

第一种方法

优点

它们适用于数组和单个变量
缺点会去除键

缺点 >

对于需要的代码来说，代码太长

第二种方法

Pro 的

它们适用于数组和单个变量

缺点

代码太长它需要什么
不删除键

第三种方法

专业人士

它们适用于数组和单个变量
确实删除键

<强>缺点

代码对于它所需要的来说太长了

我一直在使用这个，它工作正常（在osTicket中找到它，我喜欢开源）：

function strip_slashes($var){
    return is_array($var)?array_map('strip_slashes',$var):stripslashes($var);
}


if(function_exists('get_magic_quotes_gpc') && get_magic_quotes_gpc()) {
    $_POST = strip_slashes($_POST);
    $_GET = strip_slashes($_GET);
    $_REQUEST = strip_slashes($_REQUEST);
    $_COOKIE = strip_slashes($_COOKIE);
}

专业人士

他们工作对于数组和单个变量

Con's

不会剥离键，

但我从未遇到过需要剥离键的情况。许多开源库不这样做（例如Wordpress、osTicket）。一般来说，我只对永远不会被转义的 $_POST 和 $_GET 数据使用名称。

First Method

Pro's

They work for both arrays and single variables
Does strip the key

Con's

The code is too long for what it needs to be

Second Method

Pro's

They work for both arrays and single variables

Con's

The code is too long for what it needs to be
Does not strip the key

Third Method

Pro's

They work for both arrays and single variables
Does strip the key

Con's

The code is too long for what it needs to be

I've been using this, which works ok (Found it in osTicket, I love open source):

function strip_slashes($var){
    return is_array($var)?array_map('strip_slashes',$var):stripslashes($var);
}


if(function_exists('get_magic_quotes_gpc') && get_magic_quotes_gpc()) {
    $_POST = strip_slashes($_POST);
    $_GET = strip_slashes($_GET);
    $_REQUEST = strip_slashes($_REQUEST);
    $_COOKIE = strip_slashes($_COOKIE);
}

Pro's

They work for both arrays and single variables

Con's

Does not strip the keys

I've never come across the need to strip the keys as well though. Many open source libraries don't do it (e.g Wordpress, osTicket). Generally I only use name for $_POST and $_GET data that will never be escaped.

回复收藏 0 原文

~没有更多了~