PHP magic quotes

Source: Internet
Author: User
& Nbsp; the security of PHP lies in its default configuration of php. the ini-dist contains magic_quotes_gpcOn, which is called "MagicQuote". it is very useful for PHP beginners, "although SQL injection is still possible when magic quotes are opened, at least the security of system PHP lies in its default configuration of php. the ini-dist contains a magic_quotes_gpc = On, which is called "Magic quotes" and is very useful for PHP beginners, "although SQL injection is still possible when magic quotes are opened, at least the system risk is much reduced" (PHP Manual ). However, PHP code portability is affected, and not every Data escaped by magic quotes needs to be written into the database, which affects the execution efficiency of the program, it is better to use addslashes (), so in
Magic_quotes_gpc = Off in php. ini-recommended.
Here we use a function to determine whether magic_quotes_gpc is enabled, and then determine whether addslashes () is required. of course, this may affect the efficiency.

The PHP System configuration file php. ini contains three magic quotation mark configuration options:

Magic quotes configuration options Description Change at runtime Default value in PHP
Magic_quotes_gpc If it is enabled, the HTTP request data (GET, POST, and COOKIE) is affected ). NO On
Magic_quotes_runtime If it is enabled, most of the functions that retrieve data from external sources and return data, including the database and text files, will be escaped by the backslash. (Prerequisite: magic_quotes_gpc = On) YES Off
Magic_quotes_sybase When it is disabled, all (single quotes), "(double quotation marks), (backslash), and NULL characters will be automatically added with a backslash to escape. This works exactly the same as addslashes.
If it is enabled, single quotes are used to escape single quotes rather than backslash. This option will completely overwrite magic_quotes_gpc. If two options are enabled at the same time, the single quotation marks will be converted. Double quotation marks, backslash, and NULL characters are not escaped.
(Prerequisite: magic_quotes_gpc = On)
YES Off

From the table above, we can see that for magic_quotes_runtime, you can use ini_set (magic_quotes_runtime, 0) in the program to turn it off, and then you can use your own methods to process data from databases or files.
However, it is troublesome to process global variables from the outside. The following code is available. here, magic_quotes_sybase will be blocked, but a backslash () will be added before the quotation marks and other things for submission to the MySql database.
FunctionquotesOuterVars ($ var ){
If (is_array ($ var )){
Returnarray_map (quotesOuterVars, $ var );
} Else {
If (get_magic_quotes_gpc ()){
// If magic_quotes_sybase = On, replace it with and then addslashes
If (ini_get (magic_quotes_sybase )){
$ Var = str_replace ("", "", $ var );
$ Var = addslashes ($ var );
}
} Else {
$ Var = addslashes ($ var );
}
Returntrim ($ var );
}
}
?>

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.