Differences, functions, and usage of magic_quotes_gpc and magic_quotes_runtime in PHP

Source: Internet
Author: User
Magic reference occurs when $ _ GET, $ _ POST, $ _ COOKIE is passed. condition: the string written to the database by magic_quotes_gpcoff has not been filtered. The strings read from the database are not processed. Data: & #8194; $ data "snow" ''sun "; (there are four consecutive single quotes between snow and sun.

Magic reference occurs when $ _ GET, $ _ POST, $ _ COOKIE is passed.
1.
Condition: magic_quotes_gpc = off
The string written to the database has not been filtered. The strings read from the database are not processed.
Data: bytes $ data = "snow" ''sun "; (four consecutive single quotes between snow and sun ).
Operation: write the string: "snow" ''sun "to the database,
Result: if an SQL statement error occurs, mysql cannot complete the SQL statement successfully and fails to write data to the database.
Database storage format: no data.
Output data format: no data.
Note: an SQL statement error occurs when unprocessed single quotes are written to the database.
2.
Condition: magic_quotes_gpc = off
The string written to the database is processed by the addlashes () function. Strings read from the database are not processed.
Data: bytes $ data = "snow" ''sun "; (four consecutive single quotes between snow and sun ).
Operation: write the string: "snow" ''sun "to the database,
Result: the SQL statement is successfully executed and data is successfully written to the database.
Database storage format: snow "'' sun (same as input)
Output data format: snow "'' sun (same as input)
Note: The addslashes () function converts single quotes to escape characters so that SQL statements are successfully executed,
However, 'The database does not store data into the database, and the database stores snow ''' sun instead of the snow' \ ''\ 'Sun.
3.
Condition: magic_quotes_gpc = on
The string written to the database has not been processed. Strings read from the database are not processed.
Data: bytes $ data = "snow" ''sun "; (four consecutive single quotes between snow and sun ).
Operation: write the string: "snow" ''sun "to the database,
Result: the SQL statement is successfully executed and data is successfully written to the database.
Database storage format: snow "'' sun (same as input)
Output data format: snow "'' sun (same as input)
Note: magic_quotes_gpc = on converts single quotes to escape characters so that the SQL statement is successfully executed,
However, 'The database does not store data into the database. the database stores snow ''' sun, not the snow' \ ''\ 'Sun we imagined.
4.
Condition: magic_quotes_gpc = on
The string written to the database is processed by the addlashes () function. Strings read from the database are not processed.
Data: bytes $ data = "snow" ''sun "; (four consecutive single quotes between snow and sun ).
Operation: write the string: "snow" ''sun "to the database,
Result: the SQL statement is successfully executed and data is successfully written to the database.
Database storage format: snow' \ ''\ 'Sun (escape characters added)
Output data format: snow' \ ''\ 'Sun (escape characters added)
Note: magic_quotes_gpc = on converts single quotes to escape characters so that the SQL statement is successfully executed,
Addslashes converts the single quotes that will be written into the database into ', and the latter conversion is written as data
Database. the database stores snow' \ ''\ 'Sun
Summary:
1. for magic_quotes_gpc = on,
We may not use the string data of the input or output database
The operation of addslashes () and stripslashes () will also display the data normally.
If you perform addslashes () processing on the input data,
In this case, you must use stripslashes () to remove unnecessary backslash.
2. magic_quotes_gpc = off
You must use addslashes () to process the input data, but you do not need to use stripslashes () to format the output.
Because addslashes () does not write the backslash together into the database, it only helps mysql to complete SQL statement execution.
Supplement:
Magic_quotes_gpc: WEB client server; TIME: When the request starts, for example, when the script is running.
Magic_quotes_runtime: The data read from the file, the exec () execution result, or the result obtained from the SQL query. function Time: The data generated every time the script accesses the running state.
============== Magic_quotes_gpc and magic_quotes_runtime
PHP provides two magic reference functions for reference data: magic_quotes_gpc and magic_quotes_runtime. when the ini is set to ON, the quoted data will be subject to single quotation marks and double quotation marks, and the backslash is automatically added to the backslash to help us automatically translate the symbols, make sure that the data operation runs correctly. However, in different php versions or server configurations, some magic_quotes_gpc and magic_quotes_runtime are set to on, while others are off, therefore, the program we write must meet the on and off conditions. So what are the differences between magic_quotes_gpc and magic_quotes_runtime functions? See the following description:
Magic_quotes_gpc
Scope of Application: WEB client server;
Time: request start, for example, when the script is running.
Magic_quotes_runtime
Scope: obtained from the data read from the file, the exec () execution result, or the SQL query;
Time: each time the script accesses the data generated in the running state.
So
The value of magic_quotes_gpc affects the data obtained through Get/Post/Cookies.
The value of magic_quotes_runtime will affect the data read from the file or the data queried from the database.
Example:
Copy content to clipboard
Code:

/* Fill in the form: "These symbols. if magic_quotes_gpc is not enabled, they will not be escaped by backslash */
The echo value passed through POST is:, $ _ POST [str],
;
 
If (get_magic_quotes_gpc () {// check whether magic_quotes_gpc is enabled. if not, use addslashes to escape
$ Str = $ _ POST [str];
} Else {
$ Str = addslashes ($ _ POST [str]);
}
 
Echo is escaped here:, $ str,

;
$ SQL = "INSERT INTO lastnames (lastname) VALUES ($ str )";
 
// ================================================ ========================================================== ========
// ----- Magic_quotes_gpc will only escape: data obtained through Get/Post/Cookies
// ----- Magic_quotes_runtime will escape: The data read from the file, the result of executing exec (), or obtained from SQL query
// ================================================ ========================================================== ========
$ Data = implode (file (try. php); // we still write "these characters in it to test
Echo: Here is the data of try. php ,;
If (get_magic_quotes_runtime ()){
$ Data = $ data;
Echo is escaped by the system. $ data;
} Else {
Echo. $ data = addslashes ($ data) escaped by addslashes );
}

$ SQL = "INSERT INTO lastnames (lastname) VALUES ($ data )";
Echo
The SQL statement is:
, $ SQL;
// --- The warehouse receiving is escaped, but the backslash is unnecessary. use stripslashes () to remove the backslash when reading the original data.
// --- Stripslashes () and addslashes () have the opposite effect
?>


The most important difference is the two points mentioned above: they are different in processing objects.
The value of magic_quotes_gpc affects the data obtained through Get/Post/Cookies.
The value of magic_quotes_runtime will affect the data read from the file or the data queried from the database.
Here are a few functions that you want to associate:
Set_magic_quotes_runtime ():
Set magic_quotes_runtime value. 0 = Close. 1 = open. the default status is disabled. you can use echo phpinfo () to view magic_quotes_runtime
Get_magic_quotes_gpc ():
View the value of magic_quotes_gpc. 0 = Close. 1 = open.
Get_magic_quotes_runtime ():
View the value of magic_quotes_runtime. 0 = Close. 1 = open.
Note that the value of magic_quotes_gpc () cannot be set in the program.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.