|
użytkowników online: 68
|
OPINIE UŻYTKOWNIKÓW
|
Prawdziwa skarbnica wiedzy na temat tworzenia stron WWW i nie tylko. Korzystam z porad praktycznie codziennie, jest mi to niezbędne w mojej pracy. Sam zajmuję się tworzeniem serwisów, ale porady pisane przez Darka sa dla mnie nieocenioną pomocą! Proste, czytelne i zrozumiałe dla każdego! Czekam na więcej!
Krzysztof Szypulski
KESS - projektowanie stron
|
|
PODRĘCZNIK PHP 5.x, 4.x, 3.x - częściowo spolszczony / źródło: www.php.net
[Spis]
[A]
[B]
[C]
[D]
[E]
[F]
[G]
[H]
[I]
[J]
[K]
[L]
[M]
[N]
[O]
[P]
[Q]
[R]
[S]
[T]
[U]
[V]
[X]
[W]
[Z]
Rozdział 31. Magic Quotes
Magic Quotes is a process that automagically escapes incoming data to the
PHP script. It's preferred to code with magic quotes off and to instead
escape the data at runtime, as needed.
When on, all ' (single-quote), "
(double quote), \ (backslash) and NULL
characters are escaped with a backslash automatically. This is identical
to what addslashes() does.
There are three magic quote directives:
magic_quotes_gpc
Affects HTTP Request data (GET, POST, and COOKIE). Cannot be set at
runtime, and defaults to on in PHP.
See also get_magic_quotes_gpc().
magic_quotes_runtime
If enabled, most functions that return data from an external source,
including databases and text files, will have quotes escaped with a
backslash. Can be set at runtime, and defaults to on
in PHP.
See also set_magic_quotes_runtime() and
get_magic_quotes_runtime().
magic_quotes_sybase
If enabled, a single-quote is escaped with a single-quote instead of a
backslash. If on, it completely overrides
magic_quotes_gpc. Having
both directives enabled means only single quotes are escaped as
''. Double quotes, backslashes and NULL's will
remain untouched and unescaped.
See also ini_get() for retrieving its value.
User Contributed Notesjfrim at idirect dot com
27-Jan-2006 07:31
Unfortunately magic_quotes_gpc can not be changed at run-time, but here's a code block which will effectively get rid of it when executed. Use this for PHP scripts which must be portable or run on servers where magic_quotes_gpc could be configured either way.
Note that the PHP help is a little misleading... Magic_quotes_gpc affects more than just the Get, Post, and Cookie data!
<?php
set_magic_quotes_runtime(FALSE);
if (get_magic_quotes_gpc()) {
$_SERVER = stripslashes_array($_SERVER);
$_GET = stripslashes_array($_GET);
$_POST = stripslashes_array($_POST);
$_COOKIE = stripslashes_array($_COOKIE);
$_FILES = stripslashes_array($_FILES);
$_ENV = stripslashes_array($_ENV);
$_REQUEST = stripslashes_array($_REQUEST);
$HTTP_SERVER_VARS = stripslashes_array($HTTP_SERVER_VARS);
$HTTP_GET_VARS = stripslashes_array($HTTP_GET_VARS);
$HTTP_POST_VARS = stripslashes_array($HTTP_POST_VARS);
$HTTP_COOKIE_VARS = stripslashes_array($HTTP_COOKIE_VARS);
$HTTP_POST_FILES = stripslashes_array($HTTP_POST_FILES);
$HTTP_ENV_VARS = stripslashes_array($HTTP_ENV_VARS);
if (isset($_SESSION)) { $_SESSION = stripslashes_array($_SESSION, '');
$HTTP_SESSION_VARS = stripslashes_array($HTTP_SESSION_VARS, '');
}
}
function stripslashes_array($data) {
if (is_array($data)){
foreach ($data as $key => $value){
$data[$key] = stripslashes_array($value);
}
return $data;
}else{
return stripslashes($data);
}
}
?>
07-Dec-2005 03:09
You should try to avoid magic_quotes in all its flavors, use add_slashes() and strip_slashes() instead with user input and you will save time and avoid common problems that come along.
You should know also that if your server has php suexec enabled you won't be able use php_flag in .htaccess file to change php values like magic_quotes or register_globals. In this case you might wanna try creating a php.ini file on the same directory as your script and add something like this:
magic_quotes_runtime=off
magic_quotes_gpc=off
magic_quotes_sybase=off
register_globals=on ; only as an example
----
Mel
http://www.webhostingjournal.net/
richard dot spindler at gmail dot com
18-Aug-2005 10:59
to turn of magic quotes put the following line into the .htaccess file:
php_flag magic_quotes_gpc off
17-Jul-2005 04:44
Bright minds will have noticed, that one uses stripslashes() once on the input and saves that content for further processing. Then use addslashes() once before sending the content to the database or flat file.
Hint: if the application is using a MySql database, don't use addslashes() but mysql_real_escape_string().
nitrous at fuckoff dot com
26-Jan-2005 08:01
This "feature" is the cause of so many escaping problems. It's very important to understand the implications of what magic quotes really do.
Nearly every call, except those being written directly to the database, using user submitted data will require a call to strip_slashes. It gets very ugly very fast.
What should be done is proper escaping of shell parameters and database parameters. PHP provides several escaping functions intended for this purpose. Slashes alone don't cut it anyway.
|
