& Nbsp; the security of PHP lies in its default configuration of php. the ini-dist contains magic_quotes_gpcOn, which is called "MagicQuote". it is very useful for PHP beginners, "although SQL injection is still possible when magic quotes are opened, at least the security of system PHP lies in its default configuration of php. the ini-dist contains a magic_quotes_gpc = On, which is called "Magic quotes" and is very useful for PHP beginners, "although SQL injection is still possible when magic quotes are opened, at least the system risk is much reduced" (PHP Manual ). However, PHP code portability is affected, and not every Data escaped by magic quotes needs to be written into the database, which affects the execution efficiency of the program, it is better to use addslashes (), so in
Magic_quotes_gpc = Off in php. ini-recommended.
Here we use a function to determine whether magic_quotes_gpc is enabled, and then determine whether addslashes () is required. of course, this may affect the efficiency.
The PHP System configuration file php. ini contains three magic quotation mark configuration options:
Magic quotes configuration options |
Description |
Change at runtime |
Default value in PHP |
Magic_quotes_gpc |
If it is enabled, the HTTP request data (GET, POST, and COOKIE) is affected ). |
NO |
On |
Magic_quotes_runtime |
If it is enabled, most of the functions that retrieve data from external sources and return data, including the database and text files, will be escaped by the backslash. (Prerequisite: magic_quotes_gpc = On) |
YES |
Off |
Magic_quotes_sybase |
When it is disabled, all (single quotes), "(double quotation marks), (backslash), and NULL characters will be automatically added with a backslash to escape. This works exactly the same as addslashes. If it is enabled, single quotes are used to escape single quotes rather than backslash. This option will completely overwrite magic_quotes_gpc. If two options are enabled at the same time, the single quotation marks will be converted. Double quotation marks, backslash, and NULL characters are not escaped. (Prerequisite: magic_quotes_gpc = On) |
YES |
Off |
From the table above, we can see that for magic_quotes_runtime, you can use ini_set (magic_quotes_runtime, 0) in the program to turn it off, and then you can use your own methods to process data from databases or files.
However, it is troublesome to process global variables from the outside. The following code is available. here, magic_quotes_sybase will be blocked, but a backslash () will be added before the quotation marks and other things for submission to the MySql database.
FunctionquotesOuterVars ($ var ){
If (is_array ($ var )){
Returnarray_map (quotesOuterVars, $ var );
} Else {
If (get_magic_quotes_gpc ()){
// If magic_quotes_sybase = On, replace it with and then addslashes
If (ini_get (magic_quotes_sybase )){
$ Var = str_replace ("", "", $ var );
$ Var = addslashes ($ var );
}
} Else {
$ Var = addslashes ($ var );
}
Returntrim ($ var );
}
}
?>