Introduction to PHP GET_MAGIC_QUOTES_GPC () function usage

<------------------------------------------------->

How does PHP filter the GET or post parameters? Prevent JS injection, or some HTML injection? Please provide code reference? Thank you!

if (!get_magic_quotes_gpc()) {      ! empty ( $_POST )     && Add_S( $_POST );      ! empty ( $_GET )     && Add_S( $_GET );      ! empty ( $_COOKIE ) && Add_S( $_COOKIE );      ! empty ( $_SESSION ) && Add_S( $_SESSION ); } ! empty ( $_FILES ) && Add_S( $_FILES ); function Add_S(& $array ){      if ( is_array ( $array )) {          foreach ( $array as $key =>  $value ) {              if (! is_array ( $value )) {                  $array [ $key ] =  addslashes ( $value );              }  else {                  Add_S( $array [ $key ]);              }          }      } }

Filter JS, directly to the variable contents of the <> replacement is possible. Don't write it in here.

<------------------------------------------------->

The role of the MAGIC_QUOTES_GPC function in PHP is to determine the data that resolves user prompts, such as the following: Post, get, and cookie data to increase the escape character "\" to ensure that the data does not cause the program, In particular, database statements have fatal errors due to pollution caused by special characters.

In the case of magic_quotes_gpc=on, if the input data has

Characters such as single quotation marks ('), double quotation marks ("), backslashes (), and NUL (NULL characters) are all prefixed with backslashes. These escapes are necessary, and if this option is off, then we must call the Addslashes function to add escape to the string.

It is because this option must be on, but let the user to configure the contradiction, in PHP6 removed this option, all programming needs to be done under the Magic_quotes_gpc=off. In such an environment, if the user's data is not escaped, the result is not just a program error. The same can cause the database to be injected into the attack. So from now on, let's not rely on this setting to on, so that someday your server needs to be updated to PHP6 and your program will not work properly.

The code is as follows	Copy Code
When Magic_quotes_gpc=on, the function GET_MAGIC_QUOTES_GPC () returns 1 When Magic_quotes_gpc=off, the function get_magic_quotes_gpc () returns 0

Therefore, it can be seen that the function of GET_MAGIC_QUOTES_GPC () is to get the value of the environment variable MAGIC_QUOTES_GPC. Now that the MAGIC_QUOTES_GPC option is removed from the PHP6, I think the function in PHP6 is no longer there.

PHP determines whether the GET_MAGIC_QUOTES_GPC function is turned on to make it easier for us to decide whether to use the Addslashes function.

The code is as follows	Copy Code
function SQLString ($c, $t) { $c = (!GET_MAGIC_QUOTES_GPC ())? Addslashes ($c): $c; Switch ($t) { Case ' text ': $c = ($c! = ")?". $c. "'": ' NULL '; Break Case ' search ': $c = "' percent". $c. " %%‘"; Break Case ' int ': $c = ($c! = ")? Intval ($c): ' 0 '; Break } return $c; }

The right way to prevent database attacks

copy code

Function check_input ($value) { //strip slash if (GET_MAGIC_QUOTES_GPC ()) { $value = stripslashes ($value); } //If it is not a number, quote If (!is_numeric ($value)) { $value = "'". Mysql_real_escape_string ($value). "'"; } return $value; } $con = mysql_connect ("localhost", "Hello", "321″"); if (! $con) { die (' Could not connect: '. Mysql_error ()); } //For secure SQL $user = check_input ($_post[' user '); $pwd = check_input ($_post[' pwd "); $sql = "SELECT * from Users WHERE User= $user and password= $pwd "; mysql_query ($sql); Mysql_close ($con); ?

Introduction to PHP GET_MAGIC_QUOTES_GPC () function usage