KeywordsHow to handle PHP MAGIC_QUOTES_GPC correctly
Most PHP programs have this logic:
PHP automatically adds an escape slash for GPC if it finds that PHP.ini is configured to not automatically add an escape slash to the GPC variable
But in fact, this is wrong, because it changes the value of the GPC variable original.
The reason for this legacy is that PHP programs often work with MySQL, while MySQL escapes special characters by adding escape slashes, but other data such as mssql,oci are not necessarily the case.
If you are using a different type of database, such as mssql,oci,sybase, then adding an escape slash to the GPC is a mistake.
Further, if the GPC data does not need to be stored in the database and saved to the file system, or forwarded to other programs? is a very serious error logic.
So, the right thing to do is: 1.PHP Program Entry Remove escape slash (if PHP.ini is configured to automatically add escape slash) 2. When writing to MySQL, use mysql_real_escape_string instead of addcslashes to escape the variable Because the former is more secure than the latter (character set-related)
This issue has been taken into account in the DB class, see db_mysql.class.php for details, searching for mysql_real_escape_string
There are currently the following cases: The php.ini of the Point mall is configured to automatically add escape slashes, and when user-submitted data is written to the cookie, the slash must be removed in time Discuz 6.0 of the forum, the special user name "頫" after addcslashes processing, unexpectedly become "頫 \", followed by a slash, which is Discuz 6 a bug.
So, to summarize: 1. For system administrators, you should configure the php.ini Magic_quotes_gpc=off Magic_quotes_runtime=off Magic_quotes_sybase=off
For PHP developers, more accurate logic:
1. Check if the PHP environment is configured to automatically add escape slashes, if so, call stripslashes to remove $_request, $_get,$_post,$_cookie escape slash
2. When querying/writing/modifying data to MySQL, use mysql_real_escape_string to escape.
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.