PHP magic functions automatically escape magic_quotes_gpc and magic_quotes_runtim
PHP provides two magic reference functions for reference data: magic_quotes_gpc and magic_quotes_runtime. when INI is set to on, single quotation marks and double quotation marks will be applied to the referenced data, and the backslash \ is automatically added to the backslash to help us automatically translate the symbols, make sure that the data operation runs correctly. However, in different PHP versions or server configurations, some magic_quotes_gpc and magic_quotes_runtime are set to on, and some are off.ProgramThe ON and OFF conditions must be met. So what are the differences between magic_quotes_gpc and magic_quotes_runtime functions?
Let's talk about it below:
Magic_quotes_gpc
Scope of application: Web client server;
Time: Request start, for example, when the script is running.
Magic_quotes_runtime
Scope: obtained from the data read from the file, the exec () execution result, or the SQL query;
Time: each time the script accesses the data generated in the running state.
So
The value of magic_quotes_gpc affects the data obtained through get/post/cookies.
The value of magic_quotes_runtime will affect the data read from the file or the data queried from the database.
Example:
Copy content to clipboard
Code:
<Form action = "" method = "Post">
STR: <input type = "text" name = "str">
<Input type = "Submit">
</Form>
<? PHP
/* Fill in the Form with '"\. If magic_quotes_gpc is not enabled, they will not be escaped by backslash */
Echo 'the value passed through post is: ', $ _ post ['str'],'
';
If (get_magic_quotes_gpc () {& nbsp, Forex; // check whether magic_quotes_gpc is enabled. If not, use addslashes to escape
$ STR = $ _ post ['str'];
} Else {
$ STR = addslashes ($ _ post ['str']);
}
Echo 'escaped here: ', $ STR,' <HR/> ';
$ SQL = "insert into lastnames (lastname) values ('$ STR ')";
// ================================================ ========================================================== ========
// ----- Magic_quotes_gpc will only escape: data obtained through get/post/cookies
// ----- Magic_quotes_runtime will escape: The data read from the file, the result of executing exec (), or obtained from SQL query
// ================================================ ========================================================== ========
$ DATA = implode (file ('try. php'); // we still write the characters '"\ To Test
Echo 'here is the data of try. php ,';
If (get_magic_quotes_runtime ()){
$ DATA = $ data;
Echo 'escaped by the system '. $ data;
} Else {
Echo '. $ DATA = addslashes ($ data) escaped by addslashes );
}
$ SQL = "insert into lastnames (lastname) values ('$ data ')";
Echo'
The SQL statement is:
', $ SQL;
// --- The warehouse receiving is escaped, but the backslash is unnecessary. Use stripslashes () to remove the backslash when reading the original data.
// --- Stripslashes () and addslashes () have the opposite effect
?>
The most important difference is the two points mentioned above: they are different in processing objects.
The value of magic_quotes_gpc affects the data obtained through get/post/cookies.
The value of magic_quotes_runtime will affect the data read from the file or the data queried from the database.
Here are a few functions that you want to associate:
Set_magic_quotes_runtime ():
Set magic_quotes_runtime value. 0 = close. 1 = open. The default status is disabled. You can use echo phpinfo () to view magic_quotes_runtime
Get_magic_quotes_gpc ():
View the value of magic_quotes_gpc. 0 = close. 1 = open.
Get_magic_quotes_runtime ():
View the value of magic_quotes_runtime. 0 = close. 1 = open.
Note that the value of magic_quotes_gpc () cannot be set in the program.
========================================================== ====================
Use stripslashes to remove the Escape Character and use addslashes to add the escape character.
String addslashes (string Str) returns a string that requires a backslash before certain characters for database query statements. These characters are single quotation marks (\ '), double quotation marks (\ "), backslash (\), and NUL (null character) stripslashes, on the contrary, often needs to escape data quotation marks when processing MySQL, get, and post data. PHP has three settings for automatic escape of '(single quotes),' (double quotes), \ (backslash), and null characters. PHP calls it magic quotes. These three settings are magic_quotes_gpc, which affect HTTP request data (get, post, and cookie ).
It cannot be changed at runtime. In PHP, the default value is on. If magic_quotes_runtime is enabled, most of the functions that retrieve data from external sources and return data, including data from databases and text files, will be escaped by backslash. This option can be changed at runtime. The default value in PHP is off. If magic_quotes_sybase is enabled, single quotation marks are escaped rather than backslash. This option will completely overwrite magic_quotes_gpc. If two options are enabled at the same time, the single quotation marks will be converted ". Double quotation marks, backslash, and null characters are not escaped. Although it is convenient to implement automatic escape of special symbols, this will reduce the program efficiency and cause the program to be transplanted into trouble. You also need to call get_magic_quotes_gpc (), get_magic_quotes_runtime () or ini_get () to check the status without knowing the settings of the server ini.