Home Links
Home Page Trap for a spam - bot We work with files on PHP DDOS-attacks and methods of struggle against them PHP supports realization of the mechanism of sending of headings HTTP. Date in Russian Choice from a DB in the casual order on PHP Autentifikacija users through the Web - interface Business on podkastakh - already a reality What is PageRank Google'b and how to receive it on a maximum How to struggle with magic_quotes_gpc Heading If-Modified-Since if PHP it is not established as a fashion Php blocking Soft increase IC and PR PHP and DNS. Check of the post address How to break search about pages (a paginal conclusion of the data)? Helps on job in system Google Adsense. Bases of technology AJaX Instruction beginning{starting} khosteram on zatykaniju dyrok in PHP

topic

How to struggle with magic_quotes_gpc

In present{true} clause{article} there will be a speech about one of configuration parameters of programming language PHP - magic_quotes_gpc. This parameter plays the important role concerning, first of all, safety of functioning of any web - application, processing the data received from the user and using for their storage database MySQL.


The parameter magic_quotes_gpc influences how the special symbols contained in the data will be processed, transmitted by the user (files $ _GET, $ _POST, $ _COOKIE). At magic_quotes_gpc = 1 these specsimvoly [single (') and double inverted commas ("), a return slash (\), byte NULL] are automatically shielded by interpreter PHP (before each such symbol the return slash is added). At magic_quotes_gpc = 0 all data are passed in such kind in what they were entered by the user. In the latter case with a view of safety it is required to process the transmitted data (attack SQL-injection otherwise is possible{probable}) directly in a code of the application. For this purpose in PHP there is a function addslashes (endurance{quotation} from the documentation):



$str = " Is your name O'reilly? ";


* Deduces: Is your name O \'reilly?

echo addslashes ($str);


Everything, like, simply. Use in a code of the application of function addslashes in case is obviously known, that magic_quotes_gpc directive is equal 0, is quite proved. But what if the manager of a hosting will decide to establish its{her} value in unit? There will be double a shielding specsimvolov! Therefore, function addslashes is necessary for applying only in that case, when magic_quotes_gpc = 0. To receive the current value of the given configuration parameter it is possible by means of standard function get_magic_quotes_gpc. Thus, more universal code will have the following kind:



$str = " Is your name O'reilly? ";

$str = (! get_magic_quotes_gpc ())? addslashes ($str): $str;


* Deduces at any adjustments PHP: Is your name O \'reilly?

echo $str;


If to write each time such design the code of the developed web - application becomes bulky enough. To use in the beginning of each file PHP the universal code which is carrying out processing if necessary described above much more effectively. He will have the following kind:



function addslashes_for_array (and $arr)

{

   foreach ($arr as $k => $ v)

   {

       if (is_array ($v))

       {

           addslashes_for_array ($v);

           $arr [$k] = $v;

}

       else

       {

           $arr [$k] = addslashes ($v);

}

}

}


function fix_magic_quotes_gpc ()

{

   if (! get_magic_quotes_gpc ())

   {

       addslashes_for_array ($ _POST);

       addslashes_for_array ($ _GET);

       addslashes_for_array ($ _COOKIE);

}

}


* Shields at neobkhodiiosti lines in $ _GET, $ _POST, $ _COOKIE

fix_magic_quotes_gpc ();


It is necessary to notice, that the described code takes into account also that fact, that in variables $ _GET, $ _POST, $ _COOKIE multivariate files of lines can be passed not only lines, but also.


P.S. In a course of the research of some websites lead{carried out} recently by our company it was found out, that many known enough webs - developers do not take into account parameter magic_quotes_gpc. And it is a pity...