Correctly understand the true meaning of PHP escaping. Correct understanding: In PHP, there is a magic quotation mark switch by default. if this switch is turned on, $ _ GET, $ _ GET, and $ COOKIE transferred from outside will be escaped by PHP. for example, how can localhosttest be correctly understood?
By default, there is a "magic quotes" switch in PHP. if this switch is enabled, $ _ GET, $ _ GET, and $ COOKIE transferred from outside will be escaped by PHP.
For example:
Http: // localhost/test. PHP? Test = 1'
Then it is automatically escaped when the test. PHP output is as follows:
Var_dump ($ _ GET ['test'];
========= Output ========
String (3) "1 '"
The 'number is added with escape. but there is a problem here. when this value is output to the webpage, the screen is full. another function can be used here, and stripslashes can be removed.
The PHP escape in the manual means that it is recommended that you do not enable "magic quotes" because of efficiency issues. this is also a benefit, that is, it can be very safe for new users like me.
There are three methods to disable "magic quotes", because it cannot be executed and closed by PHP, that is, ini_set () cannot be used ().
1. set PHP. ini.
Magic_quotes_gpc = Off
Magic_quotes_runtime = Off
Magic_quotes_sybase = Off
2. if the system cannot be modified, you can use. htaccess
PHP_flag magic_quotes_gpc Off
3. PHP escape method with the lowest efficiency
- if (get_magic_quotes_gpc()) {
- function stripslashes_deep($value)
- {
- $value = is_array($value) ?
- array_map('stripslashes_deep', $value) :
- stripslashes($value);
- return $value;
- }
- $_POST = array_map('stripslashes_deep', $_POST);
- $_GET = array_map('stripslashes_deep', $_GET);
- $_COOKIE = array_map('stripslashes_deep', $_COOKIE);
- }
- ?>
Here we also mention the processing of % when LIKE is in an SQL statement, because addslashes does not escape % _, and the two characters do not need to be escaped in other SQL statements, so I compiled a function like_esc ($ value), which is used only when there is a LIKE statement.
Use stripslashes to export to a webpage and escape it with htmlspecialchars.
I now have a relatively lazy PHP escape method, which also escapes all transferred objects.
- if (!get_magic_quotes_gpc()) {
- function addslashes_deep($value)
- {
- $value = is_array($value) ? array_map('addslashes_deep', $value) : addslashes($value);
- return $value;
- }
- $_POST = array_map('addslashes_deep', $_POST);
- $_GET = array_map('addslashes_deep', $_GET);
- $_COOKIE = array_map('addslashes_deep', $_COOKIE);
- }
Secret has a magic quote switch by default in PHP. if this switch is enabled, $ _ GET, $ _ GET, and $ COOKIE transferred from the outside will be escaped by PHP. for example: http: // localhost/test...