A little understanding and analysis _php skills of PHP MAGIC_QUOTES_GPC

Blankyao said that "the process of learning is to constantly find mistakes, constantly correcting errors";

Let's see what the manual says!

For the average person, just take a look at the first two paragraphs.

Magic Quotes

Code:
Magic Quotes is a process this automagically escapes incoming data to the PHP script. It's preferred to code with magic quotes off and to instead escape the data at runtime, as needed.
What are Magic quotes


Code:
When in, all ' (Single-quote), "(double quote), \ (backslash) and NULL characters are escaped with a backslash automatica Lly. This is identical to what addslashes () does.

There are three magic quote directives:
Magic_quotes_gpc

Code:
Affects HTTP Request data (GET, POST, and COOKIE). Cannot is set at runtime, and defaults into in PHP.
Magic_quotes_runtime

Code:
If enabled, most functions that return data from external source, including databases and text files, 'll have quotes Escaped with a backslash. Can is set at runtime, and defaults to out in PHP.
Magic_quotes_sybase

Code:
If enabled, a single-quote is escaped with a single-quote instead of a backslash. If on, it completely overrides MAGIC_QUOTES_GPC. Having both directives is enabled means only a single quotes are as '. Double quotes, backslashes and NULL ' s would remain untouched and unescaped.
Why Use Magic Quotes




1 Useful for Beginners

Magic quotes are implemented in PHP to help code written by beginners from being. Although SQL injection is still possible to magic on, the quotes is risk.

2Convenience

For inserting data into a database, magic quotes essentially runs Addslashes () to all get, Post, and Cookie data, and does So automagically.


Why not to use Magic quotes




1 portability

Code:
Assuming it to is on, or off, affects portability. Use GET_MAGIC_QUOTES_GPC () to check for this, and code accordingly.
2 Performance

Code:
Because not every piece of escaped the data is inserted to a database, there is a performance loss to escaping all this dat A. Simply calling on the escaping functions (like addslashes ()) at runtime is more efficient.

Although php.ini-dist enables these directives by default, php.ini-recommended disables it. This recommendation was mainly due to performance reasons.
3 inconvenience

Code:
Because not all data needs escaping, it's often annoying to the escaped data where it shouldn ' t be. For example, emailing from a form, and seeing a bunch of \ ' within the email. To fix, the may require excessive the use of stripslashes ().
These English really need like me such people have enough patience ah (not to say that I have patience, but my English rotten), just said, for the general people only look at the first two paragraphs on it, especially the words I marked with red!!!

Also, it is particularly important to note that the magic reference occurs when the $_get,$_post,$_cookie is passed

Here is the case

Code:
1.
Conditions: Magic_quotes_gpc=off
The string written to the database has not been filtered. The string read from the database is also not processed.

Data: $data = "Snow", "Sun"; (There are four consecutive single quotes between snow and sun.)

Action: Writes the string: "Snow" "Sun" to the database,

Result: SQL statement error, MySQL can not successfully complete the SQL statement, write to the database failed.

Database save format: no data.

Output data format: no data.

Note: An unhandled single quote will cause an error in the SQL statement when writing to the database.

Code:
2.
Conditions: Magic_quotes_gpc=off
The string written to the database is processed by the function addslashes (). The string read from the database is not processed.

Data: $data = "Snow", "Sun"; (There are four consecutive single quotes between snow and sun.)

Action: Writes the string: "Snow" "Sun" to the database,

Result: SQL statement executed successfully, data written to database

Database save format: Snow ' sun (same as input)

Output data format: Snow ' sun (same as input)

Description: The Addslashes () function converts single quotes to \ ' escape characters to make the SQL statement execute successfully.
But \ ' is not stored as data in the database, the database is snow ' ' sun rather than our imagined snow\ ' \ ' Sun

Code:
3.
Conditions: Magic_quotes_gpc=on
The string written to the database has not been processed. The string read from the database is not processed.

Data: $data = "Snow", "Sun"; (There are four consecutive single quotes between snow and sun.)

Action: Writes the string: "Snow" "Sun" to the database,

Result: SQL statement executed successfully, data written to database

Database save format: Snow ' sun (same as input)

Output data format: Snow ' sun (same as input)

Description: Magic_quotes_gpc=on The escape character that converts single quotes to \ To successfully execute the SQL statement.
But \ ' not as data into the database, the database is snow ' ' sun rather than our imagined snow\ ' \ ' Sun.

Code:
4.
Conditions: Magic_quotes_gpc=on
The string written to the database is processed by the function addlashes (). The string read from the database is not processed.

Data: $data = "Snow", "Sun"; (There are four consecutive single quotes between snow and sun.)

Action: Writes the string: "Snow" "Sun" to the database,

Result: SQL statement executed successfully, data written to database

Database save format: snow\ ' \ ' \ ' Sun (added escape character)

Output data format: snow\ ' \ ' \ ' Sun (added escape character)

Description: Magic_quotes_gpc=on The escape character that converts single quotes to \ To successfully execute the SQL statement.
Addslashes also converts the single quotation mark that will be written to the database to \, whose conversion is written as data
Database, the database is saved by snow\ ' \ ' Sun
Summarized as follows:

1. For the magic_quotes_gpc=on situation,

We can not make string data for input and output databases
Addslashes () and Stripslashes (), the data is also displayed correctly.

If you addslashes () the input data at this time,
Then you must use Stripslashes () in the output to remove the extra backslash.

2. For the Magic_quotes_gpc=off situation

You must use Addslashes () to process the input data, but you do not need to use stripslashes () to format the output
Because Addslashes () did not write the backslash to the database, it only helped MySQL complete the execution of the SQL statement.

Add:

MAGIC_QUOTES_GPC scope is: Web Client service side; Action time: When a request starts, for example, when the script is running.
Magic_quotes_runtime scope: Data read from a file or executed as a result of exec () or from a SQL query; action time: Data generated every time the script accesses the running state