Does using magic_quotes() affect the use of mysql_real_escape_string()

问题

If I have magic_quotes switched on and I use mysql_real_escape_string, will the string be double escaped? Will it cause problems?

I assume so based on the get_magic_quotes() function but just seeking confirmation.

(P.S. It's easier to ask this question than test it in my office with all the security we have in place - It takes me 10-15 to configure everything to get a usable environment)

回答1:

If you escape a value obtained from get/post/cookie input, it will already have addslashes() applied to it, so passing it through mysql_real_escape_string() will in fact, double quote.

To strip em:

if (get_magic_quotes_gpc())
{
    $_GET = json_decode(stripslashes(json_encode($_GET, JSON_HEX_APOS)), true);
    $_POST = json_decode(stripslashes(json_encode($_POST, JSON_HEX_APOS)), true);
    $_COOKIE = json_decode(stripslashes(json_encode($_COOKIE, JSON_HEX_APOS)), true);
    $_REQUEST = json_decode(stripslashes(json_encode($_REQUEST, JSON_HEX_APOS)), true);
    ini_set('magic_quotes_gpc', 0);
}

This question has some other options for stripping quotes / dealing with the horrible magic_quotes_gpc PHP 'feature'.

回答2:

Read the documentation of mysql_real_escape_string (I hope this is not difficult as well):

Note: If magic_quotes_gpc is enabled, first apply stripslashes() to the data. Using this function on data which has already been escaped will escape the data twice.

回答3:

Of course, the easiest way is to turn magic_quotes off.
wuth usual PHP/Apache config, this line

php_flag magic_quotes_gpc 0

in the .htaccess file will do the thing.

but for the compatibility purpose, a function can be used in some config file too.

if ( get_magic_quotes_gpc( ) ) {
  $_GET = array_map_recursive('stripslashes', $_GET) ;
  $_POST = array_map_recursive('stripslashes', $_POST) ;
  $_COOKIE = array_map_recursive('stripslashes', $_COOKIE) ;
  $_REQUEST = array_map_recursive('stripslashes', $_REQUEST) ;
  if (isset($_SERVER['PHP_AUTH_USER'])) stripslashes($_SERVER['PHP_AUTH_USER']); 
  if (isset($_SERVER['PHP_AUTH_PW'])) stripslashes($_SERVER['PHP_AUTH_PW']);
}

one of the easiest

回答4:

If I have magic_quotes switched on and I use mysql_real_escape_string, will the tring be double escaped?

Yes, it will but you could do something like this though:

if (get_magic_quotes_gpc())
{
  $escaped = stripslashes($your_vars);
}

Note: You can disable the magic quotes from PHP.ini or use the below function to override it:

// no more magic quotes
function get_magic_quotes_gpc()
{ 
  return false;
}

来源：https://stackoverflow.com/questions/2688526/does-using-magic-quotes-affect-the-use-of-mysql-real-escape-string