Introduction to PHP GET_MAGIC_QUOTES_GPC () function usage

The role of the MAGIC_QUOTES_GPC function in PHP is to determine the parsing of user-submitted data, such as: Post, get, cookie-coming data to increase the escape character "\" to ensure that the data does not cause the program, In particular, database statements have fatal errors due to pollution caused by special characters.

In the case of magic_quotes_gpc=on, characters such as single quotation marks ('), double quotation marks ("), backslashes () and NUL (NULL characters) are added as backslashes if the input data is entered. These escapes are necessary, and if this option is off, then we must call the Addslashes function to add escape to the string.

It is because this option must be on, but let the user to configure the contradiction, in PHP6 removed this option , all programming needs to be done under the Magic_quotes_gpc=off. In such an environment, if the user's data is not escaped, the result is not just a program error. The same can cause the database to be injected into the attack . So from now on, let's not rely on this setting to on, so that someday your server needs to be updated to PHP6 and your program will not work properly.

When Magic_quotes_gpc=on, the function GET_MAGIC_QUOTES_GPC () returns 1

When Magic_quotes_gpc=off, the function get_magic_quotes_gpc () returns 0

Therefore, it can be seen that the function of GET_MAGIC_QUOTES_GPC () is to get the value of the environment variable MAGIC_QUOTES_GPC. Now that the MAGIC_QUOTES_GPC option is removed from the PHP6, I think the function in PHP6 is no longer there.

PHP determines whether the GET_MAGIC_QUOTES_GPC function is turned on to make it easier for us to decide whether to use the Addslashes function.

function SQLString ($c, $t)

{
$c = (!GET_MAGIC_QUOTES_GPC ())? Addslashes ($c): $c;
Switch ($t) {
Case ' text ':
$c = ($c! = ")?". $c. "'": ' NULL ';
Break
Case ' search ':
$c = "' percent". $c. " %%‘";
Break
Case ' int ':
$c = ($c! = ")? Intval ($c): ' 0 ';
Break
}
return $c;
}

The right way to prevent database attacks

function Check_input ($value)

{

Slash slash removal

if (GET_MAGIC_QUOTES_GPC ())

{

$value = Stripslashes ($value);

}

If it's not a number, enclose it.

if (!is_numeric ($value))

{

$value = "'". Mysql_real_escape_string ($value). “‘”;

}

return $value;

}

$con = mysql_connect ("localhost", "Hello", "321″");

if (! $con)

{

Die (' Could not connect: '. Mysql_error ());

}

Make Secure SQL

$user = check_input ($_post[' user ');

$pwd = Check_input ($_post[' pwd ");

$sql = "SELECT * FROM Users WHERE

User= $user and password= $pwd ";

mysql_query ($sql);

Mysql_close ($con);

?>