Differences and usage of magic_quotes_gpc and magic_quotes_runtime

This article introduces the differences between magic_quotes_gpc and magic_quotes_runtime. If you need a friend, refer to \ "'in your data \"'
Such a character is useful when it is written to the database and is not filtered out. it is automatically added before these characters, such
China \ "haha"
China \ \ "haha"
You can use set_maginc_quotes_runtime (0) to disable it. of course, you can also directly set it in php. ini.
Get_magic_quotes_runtime () gets the value of the PHP environment variable magic_quotes_runtime.

Magic_quotes_gpc is on, which automatically runs addslashes () on all GET, POST, and COOKIE data (). Do not use addslashes () for strings that have been escaped by magic_quotes_gpc, because this causes double-layer escape. In this case, you can use the get_magic_quotes_gpc () function for detection.

Different

Set_magic_quotes_runtime () allows programmers to dynamically enable or disable magic_quotes_runtime in code,
Set_magic_quotes_runtime (1) indicates enabled, and set_magic_quotes_runtime (0) indicates disabled. When set_magic_quotes_runtime (1), the text read from the database or through functions such as fread will be automatically added to 'and \ to escape the backslash to prevent overflow. This is useful when transferring database data. However, in general, it should be disabled. Otherwise, the data single quotation marks, double quotation marks, and backslash read from the database will be added, leading to abnormal display. For example, Discuz and PHPWind add a set_magic_quotes_runtime (0) to the header of the public file, and forcibly disable magic_quotes_runtime.

Magic_quotes_gpc

Scope of Application: WEB client server;
Time: request start, for example, when the script is running.

Magic_quotes_runtime

Scope: obtained from the data read from the file, the exec () execution result, or the SQL query;
Time: each time the script accesses the data generated in the running state.

So

The value of magic_quotes_gpc will affect the data obtained through Get/Post/Cookies,
The value of magic_quotes_runtime will affect the data read from the file or the data queried from the database,
Magic_quotes_gpc is used to escape data transmitted through GET, POST, and COOKIE. generally, it must be escaped before data is imported into the database,
Magic_quotes_gpc cannot be dynamically enabled or disabled in the code. you need to go to php. ini and set magic_quotes_gpc to on or off,
In the code, you can use get_magic_quotes_gpc to obtain the status of magic_quotes_gpc.
When magic_quotes_gpc is off, you must manually perform addslashes on the data. the code is as follows:

The code is as follows:

If (! Get_magic_quotes_gpc ()){
New_addslashes ($ _ GET );
New_addslashes ($ _ POST );
New_addslashes ($ _ COOKIE );
}

Function new_addslashes ($ string ){
If (is_array ($ string )){
Foreach ($ string as $ key => $ value ){
$ String [$ key] = new_addslashes ($ value );
}
} Else {
$ String = addslashes ($ string );
}
Return $ string;
}

Another example:

The code is as follows:

$ Data1 = $ _ POST ['AAA'];
$ Data2 = implode(file('1.txt '));

If (get_magic_quotes_gpc ()){
// Write data $ data1 directly to the database
} Else {
$ Data1 = addslashes ($ data1 );
// Write data $ data1 to the database
}

If (get_magic_quotes_runtime ()){
// Write data $ data2 directly to the database
// The data read from the database must be output after a stripslashes () operation.
} Else {
$ Data2 = addslashes ($ data2 );
// Write data $ data2 to the database
// Directly output the data read from the database
}

++ ++

Experience Summary:

1. for GPC, whether magic_quotes_gpc (magic_quotes_gpc = On in php. ini) is enabled or not, magic_quotes_gpc is enabled to escape get, post, and cookie content. The procedure is as follows:
(From uchome system)

The code is as follows:

Function saddslashes ($ string ){
If (is_array ($ string )){
Foreach ($ string as $ key => $ val ){
$ String [$ key] = saddslashes ($ val );
}
} Else {
$ String = addslashes ($ string );
}
Return $ string;
}

// GPC filtering
$ Magic_quote = get_magic_quotes_gpc ();
If (empty ($ magic_quote )){
$ _ GET = saddslashes ($ _ GET );
$ _ POST = saddslashes ($ _ POST );
}

// COOKIE, escape the cookie value
$ Prelength = strlen ($ _ SC ['cookiepre']);
Foreach ($ _ COOKIE as $ key => $ val ){
If (substr ($ key, 0, $ prelength) == _ SC ['cookiepre']) {
$ _ SCOOKIE [(substr ($ key, $ prelength)] = empty ($ magic_quote )? Saddslashes ($ val): $ val;
}
}

2. for magic_quotes_runtime, We disable it in a unified manner, that is, set_magic_quotes_runtime (0). do not allow the single quotation marks, double quotation marks, and backslash of data read from the database to be automatically added \. In this way, perform the following operations on the database: before adding data to the database, we manually perform the addslashes () operation on the data, and when the data is retrieved from the database, perform the opposite operation, that is, stripslashes ().

3. keep raw data for the content to be serialized, that is, remove the escape character, stripslashes (), and save the serialized content to the database. (note, the serialized content does not contain single quotation marks ('), double quotation marks ("), or backslash (). The example is as follows:
$ Feedarr ['body _ data'] = serialize (stripslashes ($ body_data ));

++ ++

Is Function set_magic_quotes_runtime () is deprecated?

After installing PHPCMS, the Deprecated: Function set_magic_quotes_runtime () is deprecated error occurs. after checking the network and data, the set_magic_quotes_runtime () Function is removed after PHP5.3 and PHP6.0.
I can use the following alternative solution:

View sourceprint?
@ Set_magic_quotes_runtime (0 );

Or

View sourceprint?
Ini_set ("magic_quotes_runtime", 0 );

Or

View sourceprint?
If (phpversion () <'5. 3.0 '){
Set_magic_quotes_runtime (0 );
}