Geek Answers Handbook

Magic_quotes_gpc = 1, which are affected by superglobals?

If you look at the name of this directive, you would think that magic_quotes only apply to the super $_COOKIE $_GET , $_POST and $_COOKIE , but there is one outrageous comment on the PHP manual :

Please note that when magic_quotes_gpc set not only $_POST , $_GET , $_REQUEST , $_COOKIE values โ€‹โ€‹of arrays are reduced. In fact, each string value in the $GLOBALS array is cut, i.e. $GLOBALS['_SERVER']['PATH_INFO'] (or $_SERVER['PATH_INFO'] ).

Can anyone confirm that this is true? Do $GLOBALS , $_SERVER , $_FILES , $_SESSION and $_ENV ?

One more question: if I repeat stripslashes() over the $_GET , $_POST and $_COOKIE , do I also need to iterate through the $_REQUEST ? Or are changes automatically reflected?

+4
source share
2 answers

I conducted several tests on LightTPD 1.4.20 and PHP 5.3.0 using magic_quotes_gpc = On and $_SERVER not changed (at least [SERVER_NAME] => local'host not). $_SESSION also does not affect magic_quotes.

$_GET , $_POST , $_COOKIE and $_REQUEST were affected (and their partners $GLOBALS ).

In addition, changes to GPC $_REQUEST are not automatically reflected in $_REQUEST .

As for the superglobal $_FILES and $_ENV , I cannot test them.

I finally ran this test and, to my surprise, both $_FILES and php://input were affected .

+2
source

In any case, I would advise you not to rely on GPC, as it is deprecated on new versions of PHP ...

Perhaps this is not very relevant for your question, but on the raised issue of SQL security alternatives, I usually use prepared statements + mysql_real_escape_string for MySQL.

To make it close to perfection, it includes several functions, as it must also support integer, boolean, and null values, but you can take a look at the source code of the database classes and Database_mysql on NaturePhp .

+2
source

More articles:


All Articles