doushu5805 2010-04-22 05:55
浏览 82
已采纳

使用magic_quotes()会影响mysql_real_escape_string()的使用吗?

If I have magic_quotes switched on and I use mysql_real_escape_string, will the string be double escaped? Will it cause problems?

I assume so based on the get_magic_quotes() function but just seeking confirmation.

(P.S. It's easier to ask this question than test it in my office with all the security we have in place - It takes me 10-15 to configure everything to get a usable environment)

  • 写回答

4条回答 默认 最新

  • douxian1895 2010-04-22 06:04
    关注

    If you escape a value obtained from get/post/cookie input, it will already have addslashes() applied to it, so passing it through mysql_real_escape_string() will in fact, double quote.

    To strip em:

    if (get_magic_quotes_gpc())
    {
        $_GET = json_decode(stripslashes(json_encode($_GET, JSON_HEX_APOS)), true);
        $_POST = json_decode(stripslashes(json_encode($_POST, JSON_HEX_APOS)), true);
        $_COOKIE = json_decode(stripslashes(json_encode($_COOKIE, JSON_HEX_APOS)), true);
        $_REQUEST = json_decode(stripslashes(json_encode($_REQUEST, JSON_HEX_APOS)), true);
        ini_set('magic_quotes_gpc', 0);
    }
    

    This question has some other options for stripping quotes / dealing with the horrible magic_quotes_gpc PHP 'feature'.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论
查看更多回答(3条)

报告相同问题?