Some usages of magic_quotes_gpc function in php_PHP tutorial

WBOY
Release: 2016-07-20 10:59:22
Original
1427 people have browsed it

The magic_quotes_gpc method is based on your php.ini configuration. It is generated if magic_quotes_gpc is turned on. Its function is the same as addslashes. Let me introduce the usage of magic_quotes_gpc in detail. ​

After reading part of the thinksaas source code, I found that the data processing method from $_POST/$_GET is carried out through the function Add_S(), that is, magic_quotes_gpc is not enabled by default in the environment, so the submitted data is processed by addslashes().

I have always been confused about magic_quotes_gpc. I have also posted an article about magic_quotes_gpc before called "The correct relationship between magic_quotes_gpc and addslashes()?" 》, I’m going to talk about this issue again now because I want to understand this thing thoroughly. I have submitted this question on the thinksaas official website and am waiting for the reply. I will update the results to this article at that time.
Question 1: If the data in the data is to be read now, does stripslashes() need to be processed after reading to restore it to the original data state?

Question 2: I see that many other programs handle it in reverse, that is, if magic_quotes_gpc is turned on in the environment, stripslashes() is performed on the submitted data, and then htmlspecialchars() is performed on the data to replace those Regarding special symbols, I would like to ask which method is better, this method or the thinksaas method? I heard that magic_quotes_gpc will not be enabled by default in the future.

Typecho locomotive publishing interface, I use the method in question 2 to process the posted data. I don’t know if it is the best method?

Perform stripslashes() on the submitted data, and then perform htmlspecialchars() on the data - I don’t think this method has any advantages. Still better than TS. If it is a special website, such as Weibo or the like, with few formats, I think it would be best to just addlashed() and then store it directly in the database.
No one answered question 1, but I can answer it myself here. Regardless of whether magic_quotes_gpc is turned on or not, there is no need to perform stripslashes() processing after reading the data, because the data is not added with extra backslashes when saving.

magic_quotes_gpc summary

1. Processing method

Method 1: If magic_quotes_gpc is not enabled in the system environment, perform addslashes() processing on the submitted data.
Method 2: If magic_quotes_gpc is enabled in the system environment, perform stripslashes() processing on the submitted data, and finally perform htmlspecialchars() processing on the data to remove those special symbols.

2. The best way is as the brother said. For simple storage, just addlashed() and then store it. If you need to perform more complex processing on the string before storing it, you generally need to first Remove the backslash automatically added by magic_quotes_gpc, and then process the string. After processing, process it with addslashed() or htmlspecialchars(), and finally store it in the database. Although this is generally the case, methods must be adopted flexibly based on actual conditions.

Updated on 2012-10-21

The best way is to remove the backslash automatically added by magic_quotes_gpc, and then in the database operation class, addlashed() first and then add it to the database


Now let’s see what the official operation says


Let’s take a look at what the manual says first!

For most people, just read the first two paragraphs

Magic Quotes

Code:
Magic Quotes is a process that automatically escapes incoming data to the PHP script. It's preferred to code with magic quotes off and to instead escape the data at runtime, as needed.
What are Magic Quotes


Code:
When on, all ' (single-quote), " (double quote), (backslash) and NULL characters are escaped with a backslash automatically. This is identical to what addslashes() does.

There are three magic quote directives:
magic_quotes_gpc

Code:
Affects HTTP Request data (GET, POST, and COOKIE). Cannot be set at runtime, and defaults to on in PHP.
magic_quotes_runtime

Code:
If enabled, most functions that return data from an external source, including databases and text files, will have quotes escaped with a backslash. Can be set at runtime, and defaults to off in PHP.
magic_quotes_sybase

Code:
If enabled, a single-quote is escaped with a single-quote instead of a backslash. If on, it completely overrides magic_quotes_gpc. Having both directives enabled means only single quotes are escaped as ''. Double quotes, backslashes and NULL's will remain untouched and unescaped.
Why use Magic Quotes


1 Useful for beginners

Magic quotes are implemented in PHP to help code written by beginners from being dangerous. Although SQL Injection is still possible with magic quotes on, the risk is reduced.

2Convenience

For inserting data into a database, magic quotes essentially runs addslashes() on all Get, Post, and Cookie data, and does so automatically.


Why not to use Magic Quotes


1Portability

Code:
Assuming it to be on, or off, affects portability. Use get_magic_quotes_gpc() to check for this, and code accordingly.
2Performance

Code:
Because not every piece of escaped data is inserted into a database, there is a performance loss for escaping all this data. Simply calling on the escaping functions (like addslashes()) at runtime is more efficient.

Although php.ini-dist enables these directives by default, php.ini-recommended disables it. This recommendation is mainly due to performance reasons.
3Inconvenience

Code:
Because not all data needs escaping, it's often annoying to see escaped data where it shouldn't be. For example, emailing from a form, and seeing a bunch of ' within the email. To fix, this may require excessive use of stripslashes( ).
These English words really require people like me to have enough patience (not that I have patience, but that my English is bad). As I said just now, for ordinary people, just read the first two paragraphs, especially when I use The words highlighted in red! ! !

Example

get_magic_quotes_gpc

Get the value of PHP environment variable magic_quotes_gpc.

Syntax: long get_magic_quotes_gpc(void);

Return value: long integer

Function type: PHP system function

Content Description


This function obtains the value of the variable magic_quotes_gpc (GPC, Get/Post/Cookie) set in the PHP environment. Returning 0 means turning off this function; returning 1 means turning this function on. When magic_quotes_gpc is enabled, all ' (single quote), " (double quote), '' (backslash) and null characters will be automatically converted to overflow characters containing backslash.

addslashes -- Use backslashes to quote strings

Description
string addslashes (string str)

Returns a string with backslashes added in front of certain characters for the purpose of database query statements, etc. These characters are single quote ('), double quote ("), backslash ('') and NUL (NULL character).

An example of using addslashes() is when you are entering data into a database. For example, inserting the name O'reilly into the database requires escaping it. Most databases use '' as the escape character: O'''reilly. This puts the data into the database without inserting extra '''s. When the PHP directive magic_quotes_sybase is set to on, it means that inserting ' will be escaped with '.

By default, the PHP instruction magic_quotes_gpc is on, which mainly automatically runs addslashes() on all GET, POST and COOKIE data. Do not use addslashes() on strings that have been escaped by magic_quotes_gpc, as this will result in double escaping. When encountering this situation, you can use the function get_magic_quotes_gpc() to detect it.

Example 1. addslashes() example

The code is as follows Copy code
 代码如下 复制代码

$str = "Is your name O'reilly?";

// 输出:Is your name O'''reilly?
echo addslashes($str);
?>

$str = "Is your name O'reilly?";


// Output: Is your name O'''reilly?

echo addslashes($str);
 代码如下 复制代码

function html($str) {
$str = get_magic_quotes_gpc()?$str:addslashes($str);
return $str;
}

?>
get_magic_quotes_gpc() This function obtains the value of the variable magic_quotes_gpc (GPC, Get/Post/Cookie) in the PHP environment configuration. Returning 0 means turning off this function; returning 1 means turning this function on. When magic_quotes_gpc is turned on, all ' (single quote), " (double quote), '' (backslash) and null characters will automatically be converted to overflow characters containing backslash.
The code is as follows Copy code
function html($str) { $str = get_magic_quotes_gpc()?$str:addslashes($str); return $str; }

The summary is as follows:

1. For PHP magic_quotes_gpc=on,

We can not do anything with the string data of the input and output databases
For the operations of addslashes() and stripslashes(), the data will be displayed normally.

If you perform addslashes() on the input data at this time,
Then you must use stripslashes() to remove excess backslashes when outputting.

2. For the case of PHP magic_quotes_gpc=off

You must use addslashes() to process the input data, but you do not need to use stripslashes() to format the output
Because addslashes() does not write the backslashes into the database, it just helps mysql complete the execution of the sql statement.


www.bkjia.comtruehttp: //www.bkjia.com/PHPjc/445614.htmlTechArticlemagic_quotes_gpc method is based on your php.ini configuration. If magic_quotes_gpc is turned on, it will be generated. Its function is the same as addslashes are the same, let me introduce in detail about magic_...
Related labels:
source:php.cn
Statement of this Website
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn
Popular Tutorials
More>
Latest Downloads
More>
Web Effects
Website Source Code
Website Materials
Front End Template