Quotes PHP MAGIC_QUOTES_GPC A little understanding and analysis

Source: Internet
Author: User
Blankyao said, "The process of learning is to constantly find mistakes, and constantly correct mistakes";
Let's see what the manual says!
For the average person, look at the first two paragraphs.
Magic Quotes
Code:
Magic Quotes is a process this automagically escapes incoming data to the PHP script. It's preferred to code with magic quotes off and to instead escape the data at runtime, as needed.
What is Magic Quotes
Code:
When on, all ' (Single-quote), "(double quote), \ (backslash) and NULL characters is escaped with a backslash automatica Lly. This was identical to what addslashes () does.
There is three magic quote directives:
Magic_quotes_gpc
Code:
Affects HTTP Request data (GET, POST, and COOKIE). Cannot is set at runtime, and defaults to on PHP.
Magic_quotes_runtime
Code:
If enabled, most functions this return data from an external source, including databases and text files, would have quotes Escaped with a backslash. Can is set at runtime, and defaults to off in PHP.
Magic_quotes_sybase
Code:
If enabled, a single-quote is escaped with a single-quote instead of a backslash. If on, it completely overrides MAGIC_QUOTES_GPC. Have both directives enabled means only a single quotes is escaped as ". Double quotes, backslashes and NULL s would remain untouched and unescaped.
Why use Magic Quotes
1 Useful for Beginners
Magic quotes is implemented in PHP to help code written by beginners from being dangerous. Although SQL injection is still possible with magic quotes on, and the risk is reduced.
2Convenience
For inserting data to a database, magic quotes essentially runs Addslashes () on all Get, Post, and Cookie data, and does So automagically.
Why don't use Magic Quotes
1 portability
Code:
Assuming it to is on, or off, affects portability. Use GET_MAGIC_QUOTES_GPC () to check for this, and code accordingly.
2 Performance
Code:
Because not every piece of escaped data are inserted into a database, there are a performance loss for escaping all this dat A. Simply calling on the escaping functions (like addslashes ()) at runtime are more efficient.
Although php.ini-dist enables these directives by default, php.ini-recommended disables it. This recommendation are mainly due to performance reasons.
3 inconvenience
Code:
Because not all data needs escaping, it's often annoying to see escaped data where it shouldn ' t is. For example, emailing from a form, and seeing a bunch of \ ' within the email. To fix, this could require excessive use of stripslashes ().
These English really need to like me this kind of people have enough patience ah (not to say I have patience, but my English rotten), just said, for the average person only look at the first two paragraphs can be, especially I use red marked out the word!!!
In addition, it is particularly important to note that magic references occur when passing $_get,$_post,$_cookie
Here is the case
Code:
1.
Condition: Magic_quotes_gpc=off
The string written to the database has not been processed by any filtering. The string read from the database has not been processed.
Data: $data = "Snow", "Sun"; (There are four consecutive single quotes between snow and sun).
Action: Writes the string: "Snow" "Sun" to the database,
Result: A SQL statement error occurred and MySQL failed to complete the SQL statement and write to the database successfully.
Database save format: no data.
Output data format: no data.
Description: An unhandled single quotation mark causes an error in the SQL statement when it is written to the database.
Code:
2.
Condition: Magic_quotes_gpc=off
The string written to the database is processed by the function addslashes (). The string read from the database has not been processed.
Data: $data = "Snow", "Sun"; (There are four consecutive single quotes between snow and sun).
Action: Writes the string: "Snow" "Sun" to the database,
Result: SQL statement executes successfully and data is written to database
Database save format: Snow "Sun" (same as input)
Output data format: Snow "Sun" (same as input)
Description: The Addslashes () function converts the single quotation mark to \ ' escape character to make the SQL statement execute successfully.
But \ ' is not stored as data in the database, the database is saved by Snow ' ' sun and not our imagination snow\ ' \ ' \ ' Sun
Code:
3.
Condition: Magic_quotes_gpc=on
The string written to the database has not been processed. The string read from the database has not been processed.
Data: $data = "Snow", "Sun"; (There are four consecutive single quotes between snow and sun).
Action: Writes the string: "Snow" "Sun" to the database,
Result: SQL statement executes successfully and data is written to database
Database save format: Snow "Sun" (same as input)
Output data format: Snow "Sun" (same as input)
Description: Magic_quotes_gpc=on an escape character that converts the single quotation mark to \ ' to make the SQL statement execute successfully.
But \ ' not as data into the database, the database is saved by snow ' ' sun instead of our imagined snow\ ' \ ' \ ' Sun.
Code:
4.
Condition: Magic_quotes_gpc=on
The string written to the database is processed by the function addlashes (). The string read from the database has not been processed.
Data: $data = "Snow", "Sun"; (There are four consecutive single quotes between snow and sun).
Action: Writes the string: "Snow" "Sun" to the database,
Result: SQL statement executes successfully and data is written to database
Database save format: snow\ ' \ ' \ ' \ ' Sun (added escape character)
Output data format: snow\ ' \ ' \ ' \ ' Sun (added escape character)
Description: Magic_quotes_gpc=on an escape character that converts the single quotation mark to \ ' to make the SQL statement execute successfully.
Addslashes also converts the single quotation marks that will be written to the database to \ ', which is written as data
Database, the database is saved snow\ ' \ ' \ ' \ ' Sun
Summarized as follows:
1. In the case of Magic_quotes_gpc=on,
We can not make the string data of the input and output database
Addslashes () and Stripslashes (), the data will also be displayed normally.
If you do a addslashes () processing of the input data at this time,
Then you must use Stripslashes () to remove the extra backslash when outputting.
2. In the case of Magic_quotes_gpc=off
The input data must be processed using addslashes (), but does not require the use of stripslashes () to format the output
Because Addslashes () did not write the backslash to the database, it only helped MySQL complete the execution of the SQL statement.
Add:
The scope of MAGIC_QUOTES_GPC is: Web client server; Action time: When the request starts, for example when the script is running.
Magic_quotes_runtime: Data read from a file or executed by exec () or from a SQL query; time: Every time the script accesses the data generated in the running state

The above describes the quotes PHP MAGIC_QUOTES_GPC a little understanding and analysis, including the quotes aspects of the content, I hope that the PHP tutorial interested in a friend helpful.

  • Contact Us

    The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

    If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

    A Free Trial That Lets You Build Big!

    Start building with 50+ products and up to 12 months usage for Elastic Compute Service

    • Sales Support

      1 on 1 presale consultation

    • After-Sales Support

      24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.