1. What is the function of magic quotes?
?
The Magic quote design was designed to escape from a database or file and receive parameters from a request, with single quotes, double quotes, backslashes, and null plus a backslash, which works exactly like Addslashes ().
2. What is the function of escaping?
?
Correctly receive and read data to execute SQL statements correctly. For example, from the foreground to receive a parameter, assuming that the $para, the background to execute a query after the SQL statement, splicing SQL statements, the parameters are passed into, similar to
”SELECT * FROM
TABLEWHERE
FIELD1= $para AND
FILED2= ‘xxx’”的形式。
?
If the argument contains double quotes such as "value, then the SQL statement becomes
“SELECT * FROM
TABLEWHERE
FIELD1= “value AND
FIELD2= ‘xxx’”
?
Originally executed the above Red statement, the result becomes the following red statement, is not what we want, need to let the system can recognize the real SQL statement start character and Terminator, this need to escape, escaped to become
“SELECT * FROM
TABLEWHERE
FIELD1= \“value AND
FIELD2= ‘xxx’”;
?
To actually execute the SQL statement as above, reach the desired query table, FIELD1 the field to "Value and field FIELD2 for XXX data."
3. Why did the Magic quote feature be removed after PHP5.4.0?
?
(1) portability
When programmed, it is considered that its opening or closing will affect portability. You can use GET_MAGIC_QUOTES_GPC () to check if it is open and program it accordingly.
(2) performance
Since not every part of the escaped data is inserted into the database, if all the data into PHP is escaped, then the execution efficiency of the program will have some impact. Calling an escape function (such as addslashes ()) at run time is more efficient. Although Php.ini-dist opens this option by default, php.ini-recommended turns it off by default, primarily for performance reasons.
(3) convenient
because not all data needs to be escaped, it is annoying to see escaped data where it is not necessary to escape. For example, sending a message through a form results in a lot of '. For this problem, you can use the stripslashes () function to handle it.
4, php.ini related configuration
?
Magic Quotes configuration Options |
Describe |
Run-time change |
default values in PHP |
Magic_quotes_gpc |
If opened, it affects HTTP request data (GET,POST , and COOKIE). |
NO |
On |
magic_quotes_runtime |
< P align= "Center" if open, most of the functions that get data from external sources and return the data, including from the database and text files, are escaped by backslashes. (If MAGIC_QUOTES_GPC = on |
no |
OFF |
magic_quotes_sybase |
" (double quotes), (backslash) and null characters are escaped by automatically adding a backslash. This is exactly the same as addslashes () MAGIC_QUOTES_GPC null characters will not be escaped. MAGIC_QUOTES_GPC = on " |
yes |
off |
Set_magic_quotes_runtime (), set the currentMagic_quotes_runtimethe activation state of the configuration option,0to close,1to open. What do you mean? This understanding, asset_magic_quotes_runtime (1)or in the configuration fileMagic_quotes_runtimeto betrue(This inphp.iniconfiguration), thenPHPThe script reads the file or reads the data from the database and encounters a backslash (\), single quotation marks ('), double quotation marks ("),NULL, the escape character is automatically added to the front and becomes\\,\ ',\",\nullor, if closed,set_magic_quotes_runtime (0) Magic_quotes_runtimeto befalse, then it escapes, and you can now useaddslashesto escape.
MAGIC_QUOTES_GPC (), when this value is1, you willHTTPin the requestG($_get),P($_post),C($_cookiesingle and double quotes and backslashes are escaped, and vice versa. This operation is generally seen in the form submission database operation, if the value is0, you can useaddslashesto be escaped into the database, and then used when removedstripslashesfunction to remove the backslash.
PS. in PHP version 5.4 , magic quotes are removed, so escaping requires the addition of the addslashes function.
PHP Magic Quotes