Introduction to the usage of php get_magic_quotes_gpc() function

php What is the function of get_magic_quotes_gpc() function?

When I explained the difference between the php stripslashes() function and the addslashes() function earlier, I mentioned the get_magic_quotes_gpc() function, so what does this function do? This chapter will introduce some descriptions of the get_magic_quotes_gpc()

function and its related matters.

The get_magic_quotes_gpc function is used to determine whether slashes are added to the data provided by the user. This is in the php.ini configuration file. The get_magic_quotes_gpc() function is introduced in detail below.

get_magic_quotes_gpc function introduction

Get the value of the PHP environment variable magic_quotes_gpc, which is a PHP system function.

Syntax:

 long get_magic_quotes_gpc(void);

Return value: long integer

This function obtains the variable magic_quotes_gpc (GPC, Get/Post/Cookie) value. Returning 0 means turning off this function; returning 1 means turning this function on. When magic_quotes_gpc is turned on, all ' (single quotes), " (double quotes), (backslashes) and null characters will automatically be converted to overflow characters containing backslashes.

In the php configuration file There is a Boolean setting, magic_quotes_runtime. When it is turned on, most of PHP's functions automatically add backslashes to overflow characters in data imported from the outside (including databases or files). Of course, if they are given repeatedly. If you add a backslash to the overflow character, there will be multiple backslashes in the string, so you need to use set_magic_quotes_runtime() and get_magic_quotes_runtime() to set and detect the magic_quotes_runtime status in the php.ini file

. In order to make your program execute normally regardless of the server settings, you can use get_magic_quotes_runtime to detect the status of the setting at the beginning of the program to determine whether to process it manually, or use set_magic_quotes_runtime(0) at the beginning (or when automatic escaping is not required). Turn off this setting.

magic_quotes_gpc sets whether to automatically add backslashes to the '"\ in the data sent by GPC (get, post, cookie). You can use get_magic_quotes_gpc() to detect system settings. If this setting is not turned on, you can use the addslashes() function to add it. Its function is to add backslashes before certain characters when required in database query statements. These characters are single quote ('), double quote ("), backslash (\) and NUL (NULL character).

PS: Starting from PHP 5.3.0 Deprecated and removed from PHP 5.4.0. This option has been removed in PHP6, and all programming needs to be done under magic_quotes_gpc=Off. In such an environment, if the user's data is not escaped, the consequences are not only It's just a program error. The same will cause the risk of database injection attacks, so from now on, don't rely on this setting to be On, lest your server needs to be updated to PHP6 one day and your program will not work properly.

##Example

php determines whether the get_magic_quotes_gpc function is enabled, so that we can decide whether to use the addslashes function

.

function SQLString($c, $t){
 $c=(!get_magic_quotes_gpc())?addslashes($c):$c;
 switch($t){
  case 'text':
   $c=($c!='')?"'".$c."'":'NULL';
   break;
  case 'search':
   $c="'%%".$c."%%'";
   break;
  case 'int':
   $c=($c!='')?intval($c):'0';
   break;
 }
 return $c;
}

The correct way to use get_magic_quotes_gpc() to prevent database attacks

The code is as follows

<?php
function check_input($value)
{
// 去除斜杠
if (get_magic_quotes_gpc())
{
$value = stripslashes($value);
}
// 如果不是数字则加引号
if (!is_numeric($value))
{
$value = “‘” . mysql_real_escape_string($value) . “‘”;
}
return $value;
}
$con = mysql_connect(“localhost”, “hello”, “321″);
if (!$con)
{
die(‘Could not connect: ‘ . mysql_error());
}
// 进行安全的 SQL
$user = check_input($_POST[&#39;user&#39;]);
$pwd = check_input($_POST[&#39;pwd&#39;]);
$sql = “SELECT * FROM users WHERE
user=$user AND password=$pwd”;
mysql_query($sql);
mysql_close($con);
?>

Summary: The function of get_magic_quotes_gpc() is to get the value of the environment variable magic_quotes_gpc. Remember to delete it in PHP6. The magic_quotes_gpc option is removed, so this function no longer exists in PHP6

[Related article recommendations]:

1.

php addslashes() function and stripslashes() function examples. Detailed explanation

2.

Detailed explanation of the difference between php stripslashes() function and addslashes() function

The above is the detailed content of Introduction to the usage of php get_magic_quotes_gpc() function. For more information, please follow other related articles on the PHP Chinese website!