The magic_quotes_gpc method is based on your php.ini configuration. It is generated if magic_quotes_gpc is turned on. Its function is the same as addslashes. Let me introduce the usage of magic_quotes_gpc in detail.
After reading part of the thinksaas source code, I found that the data processing method from $_POST/$_GET is carried out through the function Add_S(), that is, magic_quotes_gpc is not enabled by default in the environment, so the submitted data is processed by addslashes().
I have always been confused about magic_quotes_gpc. I have also posted an article about magic_quotes_gpc before called "The correct relationship between magic_quotes_gpc and addslashes()?" 》, I’m going to talk about this issue again now because I want to understand this thing thoroughly. I have submitted this question on the thinksaas official website and am waiting for the reply. I will update the results to this article at that time.
Question 1: If the data in the data is to be read now, does stripslashes() need to be processed after reading to restore it to the original data state?
Question 2: I see that many other programs handle it in reverse, that is, if magic_quotes_gpc is turned on in the environment, stripslashes() is performed on the submitted data, and then htmlspecialchars() is performed on the data to replace those Regarding special symbols, I would like to ask which method is better, this method or the thinksaas method? I heard that magic_quotes_gpc will not be enabled by default in the future.
Typecho locomotive publishing interface, I use the method in question 2 to process the posted data. I don’t know if it is the best method?
Perform stripslashes() on the submitted data, and then perform htmlspecialchars() on the data - I don’t think this method has any advantages. Still better than TS. If it is a special website, such as Weibo or the like, with few formats, I think it would be best to just addlashed() and then store it directly in the database.
No one answered question 1, but I can answer it myself here. Regardless of whether magic_quotes_gpc is turned on or not, there is no need to perform stripslashes() processing after reading the data, because the data is not added with extra backslashes when saving.
magic_quotes_gpc summary
1. Processing method
Method 1: If magic_quotes_gpc is not enabled in the system environment, perform addslashes() processing on the submitted data.
Method 2: If magic_quotes_gpc is enabled in the system environment, perform stripslashes() processing on the submitted data, and finally perform htmlspecialchars() processing on the data to remove those special symbols.
2. The best way is as the brother said. For simple storage, just addlashed() and then store it. If you need to perform more complex processing on the string before storing it, you generally need to first Remove the backslash automatically added by magic_quotes_gpc, and then process the string. After processing, process it with addslashed() or htmlspecialchars(), and finally store it in the database. Although this is generally the case, methods must be adopted flexibly based on actual conditions.
Updated on 2012-10-21
The best way is to remove the backslash automatically added by magic_quotes_gpc, and then in the database operation class, addlashed() first and then add it to the database
Now let’s see what the official operation says
Let’s take a look at what the manual says first!
For most people, just read the first two paragraphs
Magic Quotes
Code:
Magic Quotes is a process that automatically escapes incoming data to the PHP script. It's preferred to code with magic quotes off and to instead escape the data at runtime, as needed.
What are Magic Quotes
Code:
When on, all ' (single-quote), " (double quote), (backslash) and NULL characters are escaped with a backslash automatically. This is identical to what addslashes() does.
There are three magic quote directives:
magic_quotes_gpc
Code:
Affects HTTP Request data (GET, POST, and COOKIE). Cannot be set at runtime, and defaults to on in PHP.
magic_quotes_runtime
Code:
If enabled, most functions that return data from an external source, including databases and text files, will have quotes escaped with a backslash. Can be set at runtime, and defaults to off in PHP.
magic_quotes_sybase
Code:
If enabled, a single-quote is escaped with a single-quote instead of a backslash. If on, it completely overrides magic_quotes_gpc. Having both directives enabled means only single quotes are escaped as ''. Double quotes, backslashes and NULL's will remain untouched and unescaped.
Why use Magic Quotes
1 Useful for beginners
Magic quotes are implemented in PHP to help code written by beginners from being dangerous. Although SQL Injection is still possible with magic quotes on, the risk is reduced.
2Convenience
For inserting data into a database, magic quotes essentially runs addslashes() on all Get, Post, and Cookie data, and does so automatically.
Why not to use Magic Quotes
1Portability
Code:
Assuming it to be on, or off, affects portability. Use get_magic_quotes_gpc() to check for this, and code accordingly.
2Performance
Code:
Because not every piece of escaped data is inserted into a database, there is a performance loss for escaping all this data. Simply calling on the escaping functions (like addslashes()) at runtime is more efficient.
Although php.ini-dist enables these directives by default, php.ini-recommended disables it. This recommendation is mainly due to performance reasons.
3Inconvenience
Code:
Because not all data needs escaping, it's often annoying to see escaped data where it shouldn't be. For example, emailing from a form, and seeing a bunch of ' within the email. To fix, this may require excessive use of stripslashes( ).
These English words really require people like me to have enough patience (not that I have patience, but that my English is bad). As I said just now, for ordinary people, just read the first two paragraphs, especially when I use The words highlighted in red! ! !
Example
get_magic_quotes_gpc
Get the value of PHP environment variable magic_quotes_gpc.
Syntax: long get_magic_quotes_gpc(void);
Return value: long integer
Function type: PHP system function
Content Description
This function obtains the value of the variable magic_quotes_gpc (GPC, Get/Post/Cookie) set in the PHP environment. Returning 0 means turning off this function; returning 1 means turning this function on. When magic_quotes_gpc is enabled, all ' (single quote), " (double quote), '' (backslash) and null characters will be automatically converted to overflow characters containing backslash.
addslashes -- Use backslashes to quote strings
Description
string addslashes (string str)
Returns a string with backslashes added in front of certain characters for the purpose of database query statements, etc. These characters are single quote ('), double quote ("), backslash ('') and NUL (NULL character).
An example of using addslashes() is when you are entering data into a database. For example, inserting the name O'reilly into the database requires escaping it. Most databases use '' as the escape character: O'''reilly. This puts the data into the database without inserting extra '''s. When the PHP directive magic_quotes_sybase is set to on, it means that inserting ' will be escaped with '.
By default, the PHP instruction magic_quotes_gpc is on, which mainly automatically runs addslashes() on all GET, POST and COOKIE data. Do not use addslashes() on strings that have been escaped by magic_quotes_gpc, as this will result in double escaping. When encountering this situation, you can use the function get_magic_quotes_gpc() to detect it.
Example 1. addslashes() example
The code is as follows | Copy code | ||||||||
|
The code is as follows | Copy code |
function html($str) { $str = get_magic_quotes_gpc()?$str:addslashes($str); return $str; } |
The summary is as follows:
1. For PHP magic_quotes_gpc=on,
We can not do anything with the string data of the input and output databases
For the operations of addslashes() and stripslashes(), the data will be displayed normally.
If you perform addslashes() on the input data at this time,
Then you must use stripslashes() to remove excess backslashes when outputting.
2. For the case of PHP magic_quotes_gpc=off
You must use addslashes() to process the input data, but you do not need to use stripslashes() to format the output
Because addslashes() does not write the backslashes into the database, it just helps mysql complete the execution of the sql statement.