Magic Quotes禁用危机



; Magic quotes

; Magic quotes for incoming GET/POST/Cookie data.
magic_quotes_gpc = Off

; Magic quotes for runtime-generated data, e.g. data from SQL, from exec(), etc.
magic_quotes_runtime = Off

; Use Sybase-style magic quotes (escape ' with '' instead of \').
magic_quotes_sybase = Off

在PHP官方说明中,是这样说的,将在PHP 5.3中默认关闭这一选项,在PHP 5.4中会完全移除这一选项。我个人认为也是非常支持这一做法的,因为无数事实证明了这一转义对于想要防御的Web攻击并不是十分有效,反而影响了效率。

但是这一改变也将伴随着一场危机,很多运行在老版本的PHP的Web系统,对于魔术引号是有一定的依赖性的,之前也见过不少在magic_quotes_gpc为off的情况下才能成功利用的漏洞。目前大部分在线系统都没有大规模地升级到PHP的5.4版本。因此问题的严重性没有暴露出来,并且很多人对于Magic Quotes特性的移除也并不太之情。如果对于这一特性没有提前预防,很有可能在5.4普及以后,会出现某些系统上的又一轮XSS或者MYSQL漏洞等。


  • Portability Assuming it to be on, or off, affects portability. Use get_magic_quotes_gpc() to check for this, and code accordingly.
  • Performance Because not every piece of escaped data is inserted into a database, there is a performance loss for escaping all this data. Simply calling on the escaping functions (like addslashes()) at runtime is more efficient. Although php.ini-development enables these directives by default, php.ini-production disables it. This recommendation is mainly due to performance reasons.
  • Inconvenience Because not all data needs escaping, it’s often annoying to see escaped data where it shouldn’t be. For example, emailing from a form, and seeing a bunch of \’ within the email. To fix, this may require excessive use of stripslashes().
本文标题:Magic Quotes禁用危机


0 条评论。


注意 - 你可以用以下 HTML tags and attributes:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>