A little understanding and analysis of quotes php magic_quotes_gpc

blankyao said, “The process of learning is to constantly discover mistakes and constantly correct them”;
Let’s read what the manual says first!
For ordinary people, just read the first two paragraphs
Magic Quotes
Code:
Magic Quotes is a process that automatically escapes incoming data to the PHP script. It's preferred to code with magic quotes off and to instead escape the data at runtime, as needed.
What are Magic Quotes
Code:
When on, all ' (single-quote), " (double quote), (backslash) and NULL characters are escaped with a backslash automatically. This is identical to what addslashes () does.
There are three magic quote directives:
magic_quotes_gpc
Code:
Affects HTTP Request data (GET, POST, and COOKIE). Cannot be set at runtime, and defaults to on in PHP.
magic_quotes_runtime
Code:
If enabled, most functions that return data from an external source, including databases and text files, will have quotes escaped with a backslash. Can be set at runtime, and defaults to off in PHP.
magic_quotes_sybase
Code:
If enabled, a single-quote is escaped with a single-quote instead of a backslash. If on, it completely overrides magic_quotes_gpc. Having both directives enabled means only single quotes are escaped as ''. Double quotes, backslashes and NULL's will remain untouched and unescaped.
Why use Magic Quotes
１　Useful for beginners
Magic quotes are implemented in PHP to help code written by beginners from being dangerous. Although SQL Injection is still possible with magic quotes on, the risk is reduced.
２Convenience
For inserting data into a database, magic quotes essentially runs addslashes() on all Get, Post, and Cookie data, and does so automatically.
Why not to use Magic Quotes
１　Portability
Code:
Assuming it to be on, or off, affects portability. Use get_magic_quotes_gpc() to check for this, and code accordingly.
２　Performance
code:
Because not every piece of escaped data is inserted into a database, there is a performance loss for escaping all this data. Simply calling on the escaping functions (like addslashes()) at runtime is more efficient.
Although php.ini-dist enables these directives by default, php.ini-recommended disables it. This recommendation is mainly due to performance reasons.
３　Inconvenience
Code:
Because not all data needs escaping, it's often annoying to see escaped data where it shouldn't be. For example, emailing from a form, and seeing a bunch of ' within the email. To fix, this may require excessive use of stripslashes() .
These English words really require people like me to have enough patience (not that I have patience, but my English is bad). As I said just now, for ordinary people, just read the first two paragraphs, especially The words I highlighted in red! ! !
In addition, special attention is paid to the fact that magic quotes take effect when passing $_GET, $_POST, $_COOKIE
The following is the case
Code:
1.
Condition: magic_quotes_gpc=off
The string written to the database has not passed any Filtration processing. The string read from the database is not processed in any way.
Data: $data="snow''''sun"; (There are four consecutive single quotes between snow and sun).
Operation: Write the string: "snow''''sun" into the database,
Result: A SQL statement error occurred. MySQL could not successfully complete the SQL statement and failed to write to the database.
Database saving format: No data.
Output data format: No data.
Note: Unprocessed single quotes will cause SQL statement errors when written to the database.
Code:
2.
Condition: magic_quotes_gpc=off
The string written to the database is processed by the function addslashes(). The string read from the database is not processed in any way.
Data: $data="snow''''sun"; (There are four consecutive single quotes between snow and sun).
Operation: Write the string: "snow''''sun" into the database,
Result: The sql statement was successfully executed and the data was successfully written to the database
Database saving format: snow''''sun (same as input)
Output data format: snow''''sun (same as input)
Instructions: addslashes() The function converts single quotes into 'escape characters so that the sql statement can be successfully executed.
But ' is not stored as data in the database. The database saves snow''''sun and not the snow''''sun we imagined.
Code:
3.
Condition: magic_quotes_gpc=on
The string written to the database is not processed in any way. The string read from the database is not processed in any way.
Data: $data="snow''''sun"; (There are four consecutive single quotes between snow and sun).
Operation: Write the string: "snow''''sun" into the database,
Result: The sql statement was successfully executed and the data was successfully written into the database
Database saving format: snow''''sun (same as input)
Output data format: snow''''sun (same as input)
Description: magic_quotes_gpc=on Converting single quotes to ' escape characters allows the sql statement to be executed successfully,
but ' is not entered into the database as data, and the database saves snow''''sun instead of the snow''''sun we imagined.
Code:
4.
Condition: magic_quotes_gpc=on
The string written to the database is processed by the function addlashes(). The string read from the database is not processed in any way.
Data: $data="snow''''sun"; (There are four consecutive single quotes between snow and sun).
Operation: Write the string: "snow''''sun" into the database,
Result: The sql statement was executed smoothly and the data was successfully written into the database.
Database saving format: snow''''sun (with escape characters added)
Output data format: snow''''sun (with escape characters added)
Description : magic_quotes_gpc=on converts single quotes into 'escape characters so that the sql statement can be successfully executed.
addslashes converts the single quotes that are about to be written into the database into '. The latter conversion is written into the database as data and is saved in the database. It is snow''''sun
The summary is as follows:
1. For the case of magic_quotes_gpc=on,
We can not perform
addslashes() and stripslashes() operations on the string data of the input and output database, and the data will be displayed normally. .
If you perform addslashes() on the input data at this time,
then you must use stripslashes() to remove excess backslashes when outputting.
2. For the case of magic_quotes_gpc=off
you must use addslashes() to process the input data, but you do not need to use stripslashes() to format the output
because addslashes() does not write the backslashes together into the database, it is just a help mysql completes the execution of the sql statement.
Supplement:
magic_quotes_gpc Scope of action is: WEB client server; Action time: When the request starts, such as when the script is running.
magic_quotes_runtime Scope: Data read from a file or the result of executing exec() or obtained from a SQL query; Time of action: Every time the script accesses data generated in the running state
The above introduces some understanding and analysis of quotes php magic_quotes_gpc, including the content of quotes. I hope it will be helpful to friends who are interested in PHP tutorials.