Magic_quotes_gpc function usage in php

The magic_quotes_gpc method is based on your php. ini configuration. If magic_quotes_gpc is enabled, it is generated. Its function is the same as that of addslashes. Next I will introduce the usage of magic_quotes_gpc in detail.

After reading some of the thinksaas source code, we found that the data processing method for $ _ POST/$ _ GET is implemented through the Add_S () function, that is, magic_quotes_gpc is not enabled by default in the environment, the addslashes () process the submitted data.

I have always been confused about magic_quotes_gpc. I have also posted an article on magic_quotes_gpc, "what is the correct relationship between magic_quotes_gpc and addslashes ()?", Now let's talk about this question again. I want to thoroughly understand it. I have already submitted this question on the thinksaas official website and will wait for a reply. Then I will update the result to this article.
Question 1: Do I have to perform stripslashes () processing after reading the data to restore the original data status?

Question 2: I think many other programs are in reverse processing. If magic_quotes_gpc is enabled in the environment, stripslashes () is used to process the submitted data, and htmlspecialchars () is used to process the data () to replace the special symbols, I would like to ask which method is better than thinksaas? I heard that magic_quotes_gpc will not be enabled by default.

For the typecho locomotive Release Interface, I used the method in question 2 to process post data. I don't know if it is the best method?

 

Use stripslashes () to process submitted data, and then use htmlspecialchars (). I don't think this method has any advantages. It is better than TS. If there are very few special websites, such as Weibo, and so on, I think it is best to simply add them to the database.
No one answered question 1, but I can answer it by myself here. No matter magic_quotes_gpc is enabled, no stripslashes () processing is required after reading data, because no additional backslash is added to the data during storage.

Magic_quotes_gpc Summary

1. Handling Method

Method 1: If magic_quotes_gpc is not enabled in the system environment, addslashes () processes the submitted data.
Method 2: If magic_quotes_gpc is enabled in the system environment, stripslashes () is used to process the submitted data, and htmlspecialchars () is used to remove the special symbols.

2. The best method is as the brother said. Simply put the database into the database directly addslashed () and then put it into the database. If you need to perform complicated processing on the string and then store it in the database, generally, remove the backslash automatically added by magic_quotes_gpc, and then process the string. After processing, addslashed () or htmlspecialchars () is processed, and the database is finally stored. Although this is generally the case, it is still necessary to adopt a flexible approach based on the actual situation.

Updated on February 21

The best way is to remove the backslash automatically added by magic_quotes_gpc, and then add addslashed () to all inbound operations in the database operation class before receiving the data.

Now let's take a look at what the official operation says.

Let's take a look at what I said in the manual!

For average people, just look at the first two paragraphs.

Magic Quotes

Code:
Magic Quotes is a process that automagically escapes incoming data to the PHP script. It's preferred to code with magic quotes off and to instead escape the data at runtime, as needed.
What are Magic Quotes

Code:
When on, all' (single-quote), "(double quote), (backslash) and NULL characters are escaped with a backslash automatically. This is identical to what addslashes () does.

There are three magic quote ctictives:
Magic_quotes_gpc

Code:
Affects HTTP Request data (GET, POST, and COOKIE). Cannot be set at runtime, and defaults to on in PHP.
Magic_quotes_runtime

Code:
If enabled, most functions that return data from an external source, including databases and text files, will have quotes escaped with a backslash. Can be set at runtime, and defaults to off in PHP.
Magic_quotes_sybase

Code:
If enabled, a single-quote is escaped with a single-quote instead of a backslash. if on, it completely overrides magic_quotes_gpc. having both directives enabled means only single quotes are escaped ''. double quotes, backslashes and NULL's will remain untouched and unescaped.
Why use Magic Quotes

 

1 Useful for beginners

Magic quotes are implemented in PHP to help code written by beginners from being dangerous. Although SQL Injection is still possible with magic quotes on, the risk is already CED.

2 Convenience

For inserting data into a database, magic quotes essential tially runs addslashes () on all Get, Post, and Cookie data, and does so automagically.

Why not to use Magic Quotes

 

1 Portability

Code:
Assuming it to be on, or off, affects portability. Use get_magic_quotes_gpc () to check for this, and code accordingly.
2 Performance

Code:
Because not every piece of escaped data is inserted into a database, there is a performance loss for escaping all this data. simply calling on the escaping functions (like addslashes () at runtime is more efficient.

Although php. ini-dist enables these ctictives by default, php. ini-recommended disables it. This recommendation is mainly due to performance reasons.
3 Inconvenience

Code:
Because not all data needs escaping, it's often annoying to see escaped data where it shouldn't be. for example, emailing from a form, and seeing a bunch of 'within the email. to fix, this may require excessive use of stripslashes ().
These English words really need patience like me (not to say that I am patient, but that I am poor at English, only the first two paragraphs can be viewed by ordinary people, especially the words marked with red !!!

Example

Get_magic_quotes_gpc

Obtain the value of magic_quotes_gpc in the PHP environment variable.

Syntax: long get_magic_quotes_gpc (void );

Return Value: Long Integer

Function Type: PHP System Function

Description

This function obtains the magic_quotes_gpc (GPC, Get/Post/Cookie) value set in the PHP environment. If the return value is 0, this function is disabled. If the return value is 1, this function is enabled. When magic_quotes_gpc is enabled, all '(single quotation marks),' (double quotation marks), '(backslash) and null characters are automatically converted to overflow characters containing the backslash.

Addslashes -- use a backslash to reference a string

Description
String addslashes (string str)

Returns a string that requires a backslash before certain characters for database query statements. These characters are single quotation marks ('), double quotation marks ("), backslash (''), and NUL (NULL character ).

An example of using addslashes () is when you want to input data into the database. For example, insert the name 'Reilly into the database, which requires escaping. Most databases use ''as the Escape Character: O '''reilly. In this way, the data can be put into the database without inserting additional ''. When the PHP Command magic_quotes_sybase is set to on, it means that when 'is inserted,' is used for escape.

By default, the PHP Command magic_quotes_gpc is on, which automatically runs addslashes () on all GET, POST, and COOKIE data (). Do not use addslashes () for strings that have been escaped by magic_quotes_gpc, because this causes double-layer escape. In this case, you can use the get_magic_quotes_gpc () function for detection.

Example 1. addslashes () Example

The Code is as follows:	Copy code
$ Str = "Is your name O 'Reilly? "; // Output: Is your name O ''' reilly? Echo addslashes ($ str ); ?>

Get_magic_quotes_gpc ()
This function gets the magic_quotes_gpc (GPC, Get/Post/Cookie) value of the variable configured in the PHP environment. If 0 is returned, this function is disabled. If 1 is returned, this function is enabled. When magic_quotes_gpc is enabled, all '(single quotation marks),' (double quotation marks), '(backslash) and null characters are automatically converted to overflow characters containing the backslash.

The Code is as follows:	Copy code
Function html ($ str ){ $ Str = get_magic_quotes_gpc ()? $ Str: addslashes ($ str ); Return $ str; }

Summary:

1. For PHP magic_quotes_gpc = on,

We may not use the string data of the input or output database
The operation of addslashes () and stripslashes () will also display the data normally.

If you perform addslashes () processing on the input data,
In this case, you must use stripslashes () to remove unnecessary backslash.

2. PHP magic_quotes_gpc = off

You must use addslashes () to process the input data, but you do not need to use stripslashes () to format the output.
Because addslashes () does not write the backslash together into the database, it only helps mysql to complete SQL statement execution.