当我转义所有输入时,有时它会在字符串中留下斜杠(\)并将其插入数据库。为什么会发生这种情况以及如何解决这个问题?
我已经找到了 stripslashes 函数,但我宁愿找到在哪里添加比我应该添加的斜杠更多的斜杠。我的函数对每个变量使用 mysql_real_escape_string 一次,并且我使用“插入 foo(bar,bar) 值($baz,$baz)”查询数据库 也许这就是问题所在。
phpinfo 告诉
magic_quotes_gpc On On
magic_quotes_runtime Off Off
magic_quotes_sybase Off Off
static function insert($replyto,$memberid,$postid,$comment)
{
$message=array();
$lenmax=1000;
$lenmin=5;
$toolong="comment is too long.";
$tooshort="comment is too short.";
$notarget="replied comment is deleted";
$nomember="you are not a member";
$notpost="commented post is deleted";
switch(true)
{
case strlen($comment)<$lenmin: $message[]= $tooshort; break;
case strlen($comment)>$lenmax: $message[]=$toolong; break;
case $replyto!=NULL && !commentexists($replyto): $message[]=$notarget; break;
case !memberexists($memberid): $message[]=$nomember; break;
case !postexists($postid): $message[]=$nopost; break;
case count($message)>0:return $message; break;
}
$replyto=mysql_real_escape_string($replyto);
$memberid=mysql_real_escape_string($memberid);
$postid=mysql_real_escape_string($postid);
$comment=mysql_real_escape_string($comment);
if($replyto==NULL)
mysql_query("insert into fe_comment(memberid,postid,comment) values($memberid,$postid,'$comment')");
else
mysql_query("insert into fe_comment(replyto,memberid,postid,comment) values($replyto,$memberid,$postid,'$comment')");
}
我的托管公司已开启 magic_quotes_gpc,但我无法访问 php.ini 文件,我正在使用 plesk 面板来配置内容。
php 文档说
stripslashes() 的一个使用示例是当 PHP 指令 magic_quotes_gpc 处于打开状态(默认情况下处于打开状态),并且您没有将此数据插入到需要转义的位置(例如数据库)时。例如,如果您只是直接从 HTML 表单输出数据。
我的插入查询在数据库中插入斜杠,我的 php 版本是 5.2.3
文档还说
如果启用了 magic_quotes_gpc,首先将 stripslashes() 应用于数据。对已经转义的数据使用此函数将转义数据两次。
因此,我正在检查是否两次转义值,但无法找到两次转义值的任何地方。 现在我正在使用
$comment=mysql_real_escape_string(stripslashes($comment));
,但我认为它不应该成为我的代码中的标准,因为它看起来不像“正确的方式”,尽管它可以挽救局面。
magic_quotes_gpc 自动转义所有并且也不可靠,因为它已被弃用。
所以我创建了一个 .htaccess 文件并将其复制到我有一个 index.php 文件的所有目录中,.htaccess 文件只有此文本
php_flag magic_quotes_gpc Off
我运行了 phpinfo 并且它仍然给出了
magic_quotes_gpc On On
magic_quotes_runtime Off Off
magic_quotes_sybase Off Off
现在我需要一种方法来禁用魔术引号 gpc 并且我有无法访问 php.ini 文件。我现在正在寻找编辑 .htaccess 文件的方法。
I have found stripslashes function but I would rather find where I am adding more slashes than I should. My functions use mysql_real_escape_string once for each variable and I am querying database using "insert into foo(bar,bar) values($baz,$baz)"
maybe this is the problem.
phpinfo gives
magic_quotes_gpc On On
magic_quotes_runtime Off Off
magic_quotes_sybase Off Off
static function insert($replyto,$memberid,$postid,$comment)
{
$message=array();
$lenmax=1000;
$lenmin=5;
$toolong="comment is too long.";
$tooshort="comment is too short.";
$notarget="replied comment is deleted";
$nomember="you are not a member";
$notpost="commented post is deleted";
switch(true)
{
case strlen($comment)<$lenmin: $message[]= $tooshort; break;
case strlen($comment)>$lenmax: $message[]=$toolong; break;
case $replyto!=NULL && !commentexists($replyto): $message[]=$notarget; break;
case !memberexists($memberid): $message[]=$nomember; break;
case !postexists($postid): $message[]=$nopost; break;
case count($message)>0:return $message; break;
}
$replyto=mysql_real_escape_string($replyto);
$memberid=mysql_real_escape_string($memberid);
$postid=mysql_real_escape_string($postid);
$comment=mysql_real_escape_string($comment);
if($replyto==NULL)
mysql_query("insert into fe_comment(memberid,postid,comment) values($memberid,$postid,'$comment')");
else
mysql_query("insert into fe_comment(replyto,memberid,postid,comment) values($replyto,$memberid,$postid,'$comment')");
}
my hosting firm has magic_quotes_gpc on and I don't have access to php.ini file I am using plesk panel to configure things.
php documentation says
An example use of stripslashes() is when the PHP directive magic_quotes_gpc is on (it's on by default), and you aren't inserting this data into a place (such as a database) that requires escaping. For example, if you're simply outputting data straight from an HTML form.
My insert queries are inserted with slashes in the database and My php version is 5.2.3
documentation also says
If magic_quotes_gpc is enabled, first apply stripslashes() to the data. Using this function on data which has already been escaped will escape the data twice.
So I am checking if I escaped values twice I am not able to find anywhere I escaped the values twice.
now I am using
$comment=mysql_real_escape_string(stripslashes($comment));
but I think it shouldn't become a standard in my codes because it doesn't look like "the right way" even though it saves the day.
magic_quotes_gpc automaticly escapes all and also is not reliable because it is deprecated.
so I have created a .htaccess file and copied it into all directories I have an index.php file, .htaccess files have this text only
php_flag magic_quotes_gpc Off
I ran phpinfo and it still gives
magic_quotes_gpc On On
magic_quotes_runtime Off Off
magic_quotes_sybase Off Off
now I need a way to disable the magic quotes gpc and I have no access to the php.ini file. I am looking for the ways to edit .htaccess files now.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
你是对的。
魔术引号内容与 sql 内容无关,不应与其连接。
因为魔术引号是一个站点范围的问题,而 sql 转义只是与 sql 相关的问题。
因此,它们需要不同的治疗,并且切勿结合使用。
您必须无条件地摆脱魔术引号,因为它不仅会破坏 SQL 内容,还会破坏站点的所有数据操作。
因此,明智的做法是在每次调用脚本时运行的任何引导程序文件中放入一些反斜杠代码。您可以在此类代码的许多实现中找到该代码,只需谷歌搜索“stripslashes_deep”函数即可。
明智的做法是让这段代码始终运行(当然是在检查 get_magic_quotes_gpc() 的条件下),而不管魔术引号的实际状态如何,只是为了兼容性。
但还有另一种可能性可以关闭它们:尝试在应用程序的根目录中创建 php.ini 文件。
但是,您的代码中有一个严重错误。事实上,它并不能保护任何东西。
您正在转义
$memberid
和$postid
但不要引用它们!。因此,根本没有任何保护。只是因为转义仅在与引号一起使用时才有效。请记住:
逃避并不等于安全!
独自逃跑是没有任何帮助的。有一套完整的规则需要遵循。
我最近写了一个不错的解释,所以,我不会重复自己: 用 PDO 和准备好的语句替换 mysql_* 函数
You are right.
magic quotes stuff has nothing to do with sql stuff and shouldn't be connected to it.
Because magic quotes is a site-wide problem and sql escaping is sql only related problem.
So, they need different treatment an should be never used in conjunction.
You have to get rid of magic quotes unconditionally, because it spoiling not only SQL stuff but every data manipulation of your site.
So, it would be wise to put some stripslashes code in whatever bootstrap file to be run on every call of the script. The code you can find in numerous implementations of such a code, just google for the 'stripslashes_deep' function.
It would be wise to have this code always run (of course under the condition checking get_magic_quotes_gpc()) despite of the actual state of magic quotes, just for sake of compatibility.
But there is another possibility to turn them off: try to create a php.ini file in the root of your application.
However, there is a grave mistake in your code. In fact, it doesn't protect anything.
You are escaping
$memberid
and$postid
but don't quote them!. Thus, there is no protection at all. Just because escaping works only when used with quoting.Please, remember:
Escaping is not a synonym for security!
Escaping alone can help nothing. There is a whole set of rules to be followed.
I wrote a decent explanation recently, so, I wouldn't repeat myself: Replacing mysql_* functions with PDO and prepared statements
php 文档中提供了各种禁用魔术引号的方法。如果失败,它提供了一种从所有请求变量中递归删除斜杠的方法。
Various ways of disabling magic quotes are provided in the php documentation. Failing that it provides a way of removing the slashes recursively from all of your request variables.