Shulou(Shulou.com)06/03 Report--

This article mainly introduces "the analysis of security problems caused by PHP magic quotes". In daily operation, I believe that many people have doubts about the analysis of security problems caused by PHP magic quotes. The editor consulted all kinds of materials and sorted out simple and easy-to-use operation methods. I hope it will be helpful to answer the doubts of "analysis of security problems caused by PHP magic quotes". Next, please follow the editor to study!

The "\" character generated by PHP by extracting magic quotation marks can cause some security problems, such as the following code snippet:

/ foo.php?xigr='ryatfunction daddslashes ($string, $force = 0) {! defined ('MAGIC_QUOTES_GPC') & & define (' MAGIC_QUOTES_GPC', get_magic_quotes_gpc (); if (! MAGIC_QUOTES_GPC | | $force) {if (is_array ($string)) {foreach ($string as $key = > $val) {$string [$key] = daddslashes ($val, $force);}} else {$string = addslashes ($string);}} return $string }. Foreach (array ('_ COOKIE','_ POST','_ GET') as $_ request) {foreach ($_ request as $_ key = > $_ value) {$_ key {0}! ='_'& & $$_ key = daddslashes ($_ value);}} echo $xigr ['hi']; / / echo\

The above code would have expected an array variable $xigr ['hi'] after being securely processed by daddslashes (), but there is no strict type requirement for the variable $xigr. When we submit a string variable $xigr='ryat, it changes to\ 'ryat after the above processing, and finally $xigr [' hi'] will output\. If this variable is introduced into the SQL statement, it will cause serious security problems, so take a look at the following code snippet:

.. if ($xigr) {foreach ($xigr as $k = > $v) {$uids [] = $v ['uid'];} $query = $db- > query ("SELECT uid FROM users WHERE uid IN ('" .implode (",', $uids)."))

Using the ideas mentioned above, you can easily break through GPC or similar security processing and create a SQL injection vulnerability by submitting a construct such as foo.php?xigr [] ='& xigr [] [uid] = evilcode! Enough attention should be paid to this!

At this point, the study on the "analysis of security problems caused by PHP magic quotes" is over. I hope to be able to solve your doubts. The collocation of theory and practice can better help you learn, go and try it! If you want to continue to learn more related knowledge, please continue to follow the website, the editor will continue to work hard to bring you more practical articles!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.