magic-quotes

问题 I've got a PHP script that is reading in some JSON data provided by a client. The JSON data provided had a single 'smart quote' in it. Example: { "title" : "Lorem Ipsum’s Dolar" } In my script I'm using a small function to get the json data: public function getJson($url) { $filePath = $url; $fh = fopen($filePath, 'r') or die(); $temp = fread($fh, filesize($filePath)); $temp = utf8_encode($temp); echo $temp . "<br />"; $json = json_decode($temp); fclose($fh); return $json; } If I utf8 encode

问题 I have a default site template I use for my site like below: <!-- Meta start --> <title></title> <meta name="description" content="" /> <meta name="keywords" content="" /> <!-- Meta end --> <?php require_once($sidebar_inc); ?> <?php // main.inc.php require_once($main_inc); ?> <!-- CONTENT START --> <?php // signup.tpl template location $tpl = 'inc/tpl/signup.tpl'; // check if files exists and is readable if(file_exists($tpl) && is_readable($tpl)) { echo file_get_contents($tpl); } else { echo

问题 I have a default site template I use for my site like below: <!-- Meta start --> <title></title> <meta name="description" content="" /> <meta name="keywords" content="" /> <!-- Meta end --> <?php require_once($sidebar_inc); ?> <?php // main.inc.php require_once($main_inc); ?> <!-- CONTENT START --> <?php // signup.tpl template location $tpl = 'inc/tpl/signup.tpl'; // check if files exists and is readable if(file_exists($tpl) && is_readable($tpl)) { echo file_get_contents($tpl); } else { echo

问题 I disabled magic_quotes in my php.ini. But I still get escaped strings in my form. Note: I'm running this in a theme in Wordpress. 回答1: I actually already figured this out, just want to leave my solution here in case other people might find it useful: Wordpress automatically escapes all request variables. If magic quotes are turned off, they strip the slashes first, but add them again afterwards. wp-settings.php code piece: // If already slashed, strip. if ( get_magic_quotes_gpc() ) { $_GET =

问题 Our site is using PHP Version 5.2.14 Lately our hoster probably changed magic-quote defenition, and I came up with the suggested solution [code bellow] Is this solution OK for PHP Version 5.2.14 ? What should I change when we upgrade to PHP version 6 ? // Code: function fHandleQuotes($s) { if (get_magic_quotes_gpc()) return ($s); return (addslashes($s)); } . . . // Usage: . . . $query = "UPDATE myTable SET myField = '" . fHandleQuotes($_POST['fieldName']) . "'"; . . . 回答1: In PHP 6 magic

问题 I'm totally aware of the aberration of Magic Quotes in PHP, how it is evil and I avoid them like pest, but what are magic_quotes_runtime ? From php.ini: Magic quotes for runtime-generated data, e.g. data from SQL, from exec(), etc. Is is something I should check if ON and turn OFF with: set_magic_quotes_runtime(false); Is it often ON by default? I know it's deprecated in 5.3.0 and removed in 6.0.0 but since my script support 5.1.0+ I would like to know how to handle this in "legacy" PHP (if

问题 My server admin recently upgraded to PHP 5.3 and I'm getting a weird "bug" (or feature, as the PHP folks have it). I had mysql_real_escape_string around most of my string form data for obvious safety reasons, but now it seems this escaping is already done by PHP. <?php echo $_GET["escaped"]; ?> <form method="get"> <input type="text" name="escaped" /> </form> This outputs, if I enter for instance escape 'this test' , escape \'this test\' . Same goes if I use POST instead of GET . Is it

问题 I was going through a manual and found a statement saying "if array element used with '-' as the word separator, the array's element can be accessed by magic quotes".. but didn't provided with any explanations on it. could some one explain the reason behind this? 回答1: It's seemingly this one (since OP won't tell us): http://www.dagbladet.no/development/phpcodingstandard/#arrayelement Here "magic quotes" is simply the wrong designation. They mean double quoted string interpolation,

问题 If I have magic_quotes switched on and I use mysql_real_escape_string , will the string be double escaped? Will it cause problems? I assume so based on the get_magic_quotes() function but just seeking confirmation. (P.S. It's easier to ask this question than test it in my office with all the security we have in place - It takes me 10-15 to configure everything to get a usable environment) 回答1: If you escape a value obtained from get/post/cookie input, it will already have addslashes() applied

问题 One thing that's always confused me is input escaping and whether or not you're protected from attacks like SQL injection. Say I have a form which sends data using HTTP POST to a PHP file. I type the following in an input field and submit the form: "Hello", said Jimmy O'Toole. If you print/echo the input on the PHP page that receives this POST data, it comes out as: \"Hello\", said Jimmy O\'Toole. This is the point where it gets confusing. If I put this input string into (My)SQL and execute