Why are magic quotes being applied in this scenario?

2018-06-08 19:23:19

I can't post my company's proprietary code, but here is some concept code that should get the point across. It may not be free of syntax errors.

Server 1: PHP 5.3.5 , php.ini magic_quotes_gpc = On (default)

On this server we render a page using PHP. The page has a button with JavaScript attached to the click event. The JavaScript posts to a URL on a second server, something like this:

var myURL = "http://server2/AcceptPacket";
var POSTdata = getElementById("JSONdata");
var responsetext = httpPOST(myURL, POSTdata);

...

function httpPOST(myURL, POSTdata) {
    var xmlhttp = new ActiveXObject("Microsoft.XMLHTTP");
    xmlhttp.Open("POST", myURL, false);
    xmlhttp.setRequestHeader("Content-Type","application/x-www-form-urlencoded");
    xmlhttp.send(POSTdata);

    return xmlhttp.responsetext;
}

Server 2: PHP 5.4.9 , (magic quotes 'feature' removed starting with PHP 5.4)

<?php
    $handle=fopen("/tmp/datalog");
    foreach($_POST as $vblname => $value) {
        $fileData = $value;
        fwrite($handle, $fileData . "n");
    }
    fclose($handle);
?>

The data that is being stored in /tmp/datalog is the JSON data, but it has had all of the quotes escaped with a backslash. That clearly seemed like a magic quotes issues. And in fact, I solved the easily enough by disabled magic quotes on server1, and recycling Apache.

But I'm mystified as to how it broke in the first place. I put in an 'alert' right before the POST in the JavaScript, and the JSON did not appear to be escaped. But once it gets to server2, and is written to disk, it is escaped. Server 2 has PHP 5.4.9, so it doesn't even have the magic quotes 'feature', and in fact it was turning off magic quotes on server1 that solved the problem. So clearly, server1 was causing the problem.

What I can't figure out is, how did PHP magic quotes get applied between the alert in my JavaScript code, and the POST to server2? The JavaScript code isn't calling back to PHP on server1 in that path ... my best guess is that the characters were already escaped when the page was built, and before javascript retrieved the data from the page, and that the JavaScript alert hid that from me somehow ... is that possible?

There's probably a really obvious answer, but I'm relatively new to this stuff. I'm hoping someone can point out what I'm overlooking.

链接地址: http://www.djcxy.com/p/26572.html

上一篇: IIS上的PHP 5.4在自动引用后添加斜杠

下一篇: 为什么在这种情况下应用了魔术引号？