编写不受魔术引号影响的php应用-PHP Tutorial-php.cn

Home

Backend Development

PHP Tutorial

编写不受魔术引号影响的php应用

WBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWB

Jun 20, 2016 pm 12:45 PM

阅读前提：你必须看过php手册上的"第IV部分安全"的"第10章魔术引号"。如果没看过，也没问题，现在马上花10分钟先看一下php手册上的这东西。

魔术引号（Magic Quote）是一个自动将进入 PHP 脚本的数据进行转义的过程

你可能想让你的程序兼容多个数据库，但你使用的不同的数据库可能使用不同的转义符，而我们的程序又有可能运行在不同的php.ini配置的主机上，关于magic_quotes的配置又可能不一样，所以编写不受魔术引号影响的php应用是高兼容性的php应用所必须的。

php.ini中有三个魔术引号配置选项：

魔术引号配置选项	描述	运行时改变	在 PHP中的默认值为
magic_quotes_gpc	如果打开的话，影响到 HTTP 请求数据（GET，POST 和 COOKIE）。	不能	On
magic_quotes_runtime	如果打开的话，大部份从外部来源取得数据并返回的函数，包括从数据库和文本文件，所返回的数据都会被反斜线转义。（前提是magic_quotes_gpc = On）	能	Off
magic_quotes_sybase	当关闭时，所有的 '（单引号），"（双引号），/（反斜线）和 NULL 字符都会被自动加上一个反斜线进行转义。这和 addslashes() 作用完全相同。如果打开的话，将会使用单引号对单引号进行转义而非反斜线。此选项会完全覆盖 magic_quotes_gpc。如果同时打开两个选项的话，单引号将会被转义成 ''。而双引号、反斜线和 NULL 字符将不会进行转义。（前提是magic_quotes_gpc = On）	能	Off

但是要处理外部传来的全局变量就比较麻烦了。

要处理外部超级变量，我们要看magic_quotes_gpc是否已经打开(如果magic_quotes_gpc没打开，而 magic_quotes_sybase打开，magic_quotes_sybase也不起作用),还要看magic_quotes_sybase是否打开，再看我们的程序需要对外部变量用addslashes转义方式还是使用magic_quotes_sybase式的转义方式。下面的代码是一个具体的实现。

有人可能说，当magic_quotes_gpc设成On，而magic_quotes_sybase设成Off，那么直接用 ini_set('magic_quotes_sybase', 1);就能让系统用'来对addslashes式的转义进行覆盖。这样是不行的。你用ini_get('magic_quotes_sybase')输出看下配置，magic_quotes_sybase的确被改变了，但是你的代码就是不能用'转义符覆盖addslashes式的自动转义。这是因为系统获取外部变量的时候，是在你的ini_set('magic_quotes_sybase', 1);之前完成的。

/**
* 解决不受magic_quotes影响的php应用
*
* 使用这个处理办法需要配置是否使用magic_quotes_sybase, 以适应不同的DBMS
*
* 设置方法：
* $useQuotesSybase[数据库名] = 1;
* 如：使用sqlite，则定义并初始化 $useQuotesSybase['sqlite'] = 1;
* 如果使用mysql，可以定义并初始化 $useQuotesSybase['sqlite'] = 0; 也可以不定义
*
* CONFIG_DB_DBMS 为所用的DBMS的常量，在别处定义。比如 define('CONFIG_DB_DBMS', 'mysql');
*
* @author 流水孟春 cmpan(at)qq.com
* @link http://lib.cublog.cn
* $date 2007.11.18
*/
error_reporting(E_ALL);
set_magic_quotes_runtime(0);
define('CONFIG_DB_DBMS', 'sqlite'); // 测试用

// 使用 ' 做转义符的数据库
$useQuotesSybase = array();
$useQuotesSybase['sqlite'] = 1;
$useQuotesSybase['sybase'] = 1;

if(!empty($_POST)) $_POST = array_map('quotesOuterVars', $_POST);
if(!empty($_GET)) $_GET = array_map('quotesOuterVars', $_GET);
$_COOKIE = array_map('quotesOuterVars', $_COOKIE);
$_REQUEST = array_map('quotesOuterVars', $_REQUEST);

function quotesOuterVars($var) {
    if (is_array($var)) {
        return array_map('quotesOuterVars',$var);
    } else {
        if (get_magic_quotes_gpc()) {
            if (isset($GLOBALS['useQuotesSybase'][CONFIG_DB_DBMS]) && $GLOBALS['useQuotesSybase'][CONFIG_DB_DBMS]) {
                // 当前需要以 ' 为转义符
                // 如果 magic_quotes_sybase = Off, 系统将把外部变量 addslashes, 我们得先 stripslashes
                // 否则系统自动把 ' 换成 '',
                if (!ini_get('magic_quotes_sybase')) {
                    $var = stripslashes($var);
                    $var = str_replace("'", "''", $var);
                }
            } else {
                // 当前需要以 / 为转义符
                // 如果 magic_quotes_sybase = On, 我们先把 '' 替换成 ', 然后在 addslashes
                // 否则系统自动quotes
                if (ini_get('magic_quotes_sybase')) {
                    $var = str_replace("'", "''", $var);
                    $var = addslashes($var);
                }
            }
        } else{
            if (isset($GLOBALS['useQuotesSybase'][CONFIG_DB_DBMS]) && $GLOBALS['useQuotesSybase'][CONFIG_DB_DBMS]) {
                $var = str_replace("'", "''", $var);
            } else {
                $var = addslashes($var);
            }
        }

return trim($var);
}
}

从上面的表我们可以看出，对于magic_quotes_runtime，我在程序中用 ini_set('magic_quotes_runtime', 0);就可以把它关掉，然后可以用自己的方法来处理来自数据库或文件的数据。

Statement of this Website

The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn

Hot AI Tools

Undresser.AI Undress

AI-powered app for creating realistic nude photos

AI Clothes Remover

Online AI tool for removing clothes from photos.

Undress AI Tool

Undress images for free

Clothoff.io

AI clothes remover

AI Hentai Generator

Generate AI Hentai for free.

Hot Article

R.E.P.O. Energy Crystals Explained and What They Do (Yellow Crystal)

2 weeks ago By 尊渡假赌尊渡假赌尊渡假赌

Repo: How To Revive Teammates

4 weeks ago By 尊渡假赌尊渡假赌尊渡假赌

Hello Kitty Island Adventure: How To Get Giant Seeds

4 weeks ago By 尊渡假赌尊渡假赌尊渡假赌

How Long Does It Take To Beat Split Fiction?

3 weeks ago By DDD

R.E.P.O. Save File Location: Where Is It & How to Protect It?

3 weeks ago By DDD

Hot Tools

Notepad++7.3.1

Easy-to-use and free code editor

SublimeText3 Chinese version

Chinese version, very easy to use

Zend Studio 13.0.1

Powerful PHP integrated development environment

Dreamweaver CS6

Visual web development tools

SublimeText3 Mac version

God-level code editing software (SublimeText3)

Hot Topics

Where is the login entrance for gmail email?

7333

Java Tutorial

1627

CakePHP Tutorial

1351

Laravel Tutorial

1262

PHP Tutorial

1209

Related knowledge

11 Best PHP URL Shortener Scripts (Free and Premium) Mar 03, 2025 am 10:49 AM

Long URLs, often cluttered with keywords and tracking parameters, can deter visitors. A URL shortening script offers a solution, creating concise links ideal for social media and other platforms. These scripts are valuable for individual websites a

Introduction to the Instagram API Mar 02, 2025 am 09:32 AM

Following its high-profile acquisition by Facebook in 2012, Instagram adopted two sets of APIs for third-party use. These are the Instagram Graph API and the Instagram Basic Display API.As a developer building an app that requires information from a

Working with Flash Session Data in Laravel Mar 12, 2025 pm 05:08 PM

Laravel simplifies handling temporary session data using its intuitive flash methods. This is perfect for displaying brief messages, alerts, or notifications within your application. Data persists only for the subsequent request by default: $request-

Build a React App With a Laravel Back End: Part 2, React Mar 04, 2025 am 09:33 AM

This is the second and final part of the series on building a React application with a Laravel back-end. In the first part of the series, we created a RESTful API using Laravel for a basic product-listing application. In this tutorial, we will be dev

Simplified HTTP Response Mocking in Laravel Tests Mar 12, 2025 pm 05:09 PM

Laravel provides concise HTTP response simulation syntax, simplifying HTTP interaction testing. This approach significantly reduces code redundancy while making your test simulation more intuitive. The basic implementation provides a variety of response type shortcuts: use Illuminate\Support\Facades\Http; Http::fake([ 'google.com' => 'Hello World', 'github.com' => ['foo' => 'bar'], 'forge.laravel.com' =>

cURL in PHP: How to Use the PHP cURL Extension in REST APIs Mar 14, 2025 am 11:42 AM

The PHP Client URL (cURL) extension is a powerful tool for developers, enabling seamless interaction with remote servers and REST APIs. By leveraging libcurl, a well-respected multi-protocol file transfer library, PHP cURL facilitates efficient execution of various network protocols, including HTTP, HTTPS, and FTP. This extension offers granular control over HTTP requests, supports multiple concurrent operations, and provides built-in security features.

12 Best PHP Chat Scripts on CodeCanyon Mar 13, 2025 pm 12:08 PM

Do you want to provide real-time, instant solutions to your customers' most pressing problems? Live chat lets you have real-time conversations with customers and resolve their problems instantly. It allows you to provide faster service to your custom

Announcement of 2025 PHP Situation Survey Mar 03, 2025 pm 04:20 PM

The 2025 PHP Landscape Survey investigates current PHP development trends. It explores framework usage, deployment methods, and challenges, aiming to provide insights for developers and businesses. The survey anticipates growth in modern PHP versio

See all articles