Home > Backend Development > PHP Tutorial > Correctly understand the true meaning of PHP escaping_PHP tutorial

Correctly understand the true meaning of PHP escaping_PHP tutorial

WBOY
Release: 2016-07-15 13:32:25
Original
786 people have browsed it

How to correctly understand

There is a "magic quote" switch by default in PHP. If this switch is turned on, $_GET, $_GET transferred from the outside , $COOKIE will be escaped by PHP.
For example:

http://localhost/test.PHP?test=1'

and then automatically escaped when test.PHP is output, The output is as follows:

var_dump($_GET['test'];

========output=======
string(3) "1 '"

" has been escaped. But there is a problem. When this value is output to a web page, the screen will fill up. Another function can be used here, stripslashes can Remove.

The PHP escaping in the manual means that it is recommended not to enable "magic quotes" because of efficiency issues. However, this also has an advantage, that is, it is very safe for a novice like me.
There are three ways to close "magic quotes", because this cannot be closed when PHP is running, that is to say, ini_set() cannot be used.

1. Set PHP.ini.

magic_quotes_gpc = Off
magic_quotes_runtime = Off
magic_quotes_sybase = Off

2. If the system cannot be modified, you can use .htaccess

PHP_flag magic_quotes_gpc Off

3. Efficiency The lowest PHP escaping method

<ol class="dp-xml">
<li class="alt"><span><span>if (get_magic_quotes_gpc()) {  </span></span></li>
<li><span>function stripslashes_deep($value)  </span></li>
<li class="alt"><span>{  </span></li>
<li>
<span>$</span><span class="attribute">value</span><span> = </span><span class="attribute-value">is_array</span><span>($value) ?  </span>
</li>
<li class="alt"><span>array_map('stripslashes_deep', $value) :  </span></li>
<li><span>stripslashes($value);  </span></li>
<li class="alt"><span>return $value;  </span></li>
<li><span>}  </span></li>
<li class="alt">
<span>$</span><span class="attribute">_POST</span><span> = </span><span class="attribute-value">array_map</span><span>('stripslashes_deep', $_POST);  </span>
</li>
<li>
<span>$</span><span class="attribute">_GET</span><span> = </span><span class="attribute-value">array_map</span><span>('stripslashes_deep', $_GET);  </span>
</li>
<li class="alt">
<span>$</span><span class="attribute">_COOKIE</span><span> = </span><span class="attribute-value">array_map</span><span>('stripslashes_deep', $_COOKIE);  </span>
</li>
<li><span>}  </span></li>
<li class="alt">
<span class="tag">?></span><span> </span>
</li>
</ol>
Copy after login

Here is another thing to mention about the processing of % when there is LIKE in the SQL statement, because addslashes does not escape %_. And these two characters do not need to be escaped in other SQL statements, so I compiled a function like_esc($value), which is only used when there is a LIKE statement.

For output to the web page first When using stripslashes, you also need to use htmlspecialchars to escape.

I now have a relatively lazy PHP escaping method that escapes everything transferred.

<ol class="dp-xml">
<li class="alt"><span><span>if (!get_magic_quotes_gpc()) {  </span></span></li>
<li><span>function addslashes_deep($value)  </span></li>
<li class="alt"><span>{  </span></li>
<li>
<span>$</span><span class="attribute">value</span><span> = </span><span class="attribute-value">is_array</span><span>($value) ? array_map('addslashes_deep', $value) : addslashes($value);  </span>
</li>
<li class="alt"><span>return $value;  </span></li>
<li><span>}  </span></li>
<li class="alt">
<span>$</span><span class="attribute">_POST</span><span> = </span><span class="attribute-value">array_map</span><span>('addslashes_deep', $_POST);  </span>
</li>
<li>
<span>$</span><span class="attribute">_GET</span><span> = </span><span class="attribute-value">array_map</span><span>('addslashes_deep', $_GET);  </span>
</li>
<li class="alt">
<span>$</span><span class="attribute">_COOKIE</span><span> = </span><span class="attribute-value">array_map</span><span>('addslashes_deep', $_COOKIE);  </span>
</li>
<li><span>}  </span></li>
</ol>
Copy after login


www.bkjia.comtruehttp: //www.bkjia.com/PHPjc/446125.htmlTechArticleHow to correctly understand that there is a magic quote switch by default in PHP. If this switch is turned on, it will be transferred from the outside. $_GET, $_GET, $COOKIE will be escaped by PHP. For example: http://localhost/test...
source:php.cn
Statement of this Website
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn
Popular Tutorials
More>
Latest Downloads
More>
Web Effects
Website Source Code
Website Materials
Front End Template