Solution of Backslash Escaping and Database Class Escaping in ThinkPHP Warehousing
- 2021-07-26 06:59:59
- OfStack
This article describes the ThinkPHP warehousing twice backslash escape and database class escape solution. Share it for your reference. The specific methods are as follows:
This happens when magic_quotes_gpc is turned on. The reason is that thinkphp did not judge whether magic_quotes_gpc was turned on when it was put into storage, regardless of the escape processing at 372101.
The solution is to add the following code to the entry file:
if (!get_magic_quotes_gpc()) {
function addslashes_deep($value) {
$value = is_array($value) ?
array_map('addslashes_deep', $value) :
addslashes($value);
return $value;
}
$_POST = array_map('addslashes_deep', $_POST);
$_GET = array_map('addslashes_deep', $_GET);
$_COOKIE = array_map('addslashes_deep', $_COOKIE);
$_REQUEST = array_map('addslashes_deep', $_REQUEST);
}
The escape function in DbMysql. class. php has been modified as follows:
public function escape_string($str) {
if (get_magic_quotes_gpc()) {
return $str;
}
if($this->_linkID) {
return mysql_real_escape_string($str,$this->_linkID);
}else{
return mysql_escape_string($str);
}
}
In fact, this method is not desirable! Because if the magic function on, and $str is not derived from post or get (such as reading text, database), it still has no backslash.
So I don't care if $str has been escaped. Rule 1 removes the escape first, and then adds the escape. In this way, two escapes are avoided, and missing escapes are also avoided.
Here are my modifications:
public function escape_string($str) {
$str = stripslashes($str);
if($this->_linkID) {
return mysql_real_escape_string($str,$this->_linkID);
}else{
return mysql_escape_string($str);
}
}
I hope this article is helpful to everyone's ThinkPHP framework programming.