PHP 5.4 magic_quotes_gpc替代？

Question

I was using php 5.2 earlier. Now I want to upgrade php 5.4. Magic quotes are removed now. I want to make my application work properly. Which function I should use for escaping data mysql_real_escape_string() or addslashes() ?

Which function from the above will give the same results as of magic_quotes_gpc setting??

Answer 1

It's always best to migrate to PDO and prepared statements as outlined by @alex above.

If that isn't feasible, absolutely escape incoming string data with mysql_real_escape_string() , and validate integer data, eg using filter_input() as shown in this answer.

addslashes() is not a suitable escaping method for mySQL queries.

Answer 2

Its better to use prepared statements as suggested here for security reasons. Mysql_real_escape_string might not be suffiecient to prevent sql injection eg because multibyte character sets can be abused despite the escape function (). mysql_real_escape_string() versus Prepared Statements .

Prepared statements in PHP can be used like this:

  $stmt = $dbh->prepare("INSERT INTO REGISTRY (name, value) VALUES (?, ?)");
  $stmt->bindParam(1, $name);
  $stmt->bindParam(2, $value);

More information on prepared statements in PHP . So in conclusion, if you have the possibility to change your application to prepared statements, that would be the best way to handle.

UPDATE (totally not recommended)

If you really want to keep the state, use addslashes() for every $GET and $POST variable. It does the same manually what magic_quotes switched on did with all $GET and $POST variables. But i really guess its less work to use mysqli with mysqli_real_escape_string or better, prepared statements :)

http://php.net/manual/de/function.addslashes.php

Answer 3

Because I can not introduce db layer on my application and I want a quick solution, I used addslashes() function because addslashes() escapes single quote ('), double quote ("), backslash () and NUL (the NULL byte) exactly what magic quotes escape.

Code:

    foreach (array('_COOKIE','_GET', '_POST') as $_SG) {
            foreach ($$_SG as $_SGK => $_SGV) {
                    $$_SGK = smartQuotes($_SGV);
            }
    }


    function smartQuotes($value)
    {
            if( is_array($value) ) {
                    return array_map("smartQuotes", $value);
            } else {
                    if( $value == '' ) {
                            $value = 'NULL';
                    } if( !is_numeric($value)) {
                            $value = addslashes($value);
                    }
                    return $value;
            }
    }

Answer 4

addslashes() gives the same results as of magic_quotes_gpc setting referring from Magic Quotes .

When on, all ' (single-quote), " (double quote), \\ (backslash) and NULL characters are escaped with a backslash automatically. This is identical to what addslashes() does.

---

Use magic_quotes_gpc on PHP 5.4 above

If you still want run magic_quotes_gpc on PHP 5.4 or higher version for your legacy code, you can use yidas/magic-quotes :

https://github.com/yidas/php-magic-quotes

Answer 5

We need to addslashes in Request, Post, Get & cookie. You can achieve it below code. Included below code in your common file .

$la_magicQuotes = array('_REQUEST','_POST', '_GET','_COOKIE');
  foreach($la_magicQuotes as $la_superGlobal )
  { 
    if($$la_superGlobal && is_array($$la_superGlobal))    
      array_walk($$la_superGlobal, 'pr_addslashed_array');
  }


function pr_addslashed_array(&$la_val,$lc_key) 
{  
  if (is_array($la_val))
    array_walk($la_val,'pr_addslashed_array');
  else
    $la_val = pr_addslashed($la_val);   
}

function pr_addslashed($lc_string)
{
  return $lc_string = addslashes($lc_string);   
}