The MAGIC_QUOTES_GPC method is based on your php.ini configuration, if you open the MAGIC_QUOTES_GPC to generate, his role and addslashes is the same, let me give a detailed introduction about MAGIC_QUOTES_GPC usage.
Read the Thinksaas part of the source code, found that the $_post/$_get over the data processing method is through the function add_s (), that is, the environment does not open the default MAGIC_QUOTES_GPC, the data submitted to the addslashes () processing.
Always puzzled MAGIC_QUOTES_GPC, before I also have to magic_quotes_gpc the article "MAGIC_QUOTES_GPC and Addslashes () the correct relationship? , now talk about this problem, is to thoroughly understand this thing, I have submitted this question on the Thinksaas website, waiting for the answer, I will update the results to this article.
Question 1: Now to read the data in the data is not read after the stripslashes () processing, in order to restore to the original data state?
Question 2: I see a lot of other programs are in reverse, that is, if the environment is turned on MAGIC_QUOTES_GPC, the submitted data is stripslashes () processed, and then the data is Htmlspecialchars () Processing to replace those special symbols, I would like to ask this method and Thinksaas processing method which kind of good? I heard that MAGIC_QUOTES_GPC is not open after the default.
Typecho locomotive release interface, I deal with the post data is to use the method in question 2, do not know is not the best way?
Stripslashes () processing the data submitted, and then htmlspecialchars the data ()--this method I think there is no merit. It's better than TS. If special sites, such as micro-blog and other formats are very few, I think only addslashed () on the line, and then directly into the best storage.
Question 1 No one answered, but I can answer it myself here, regardless of whether the MAGIC_QUOTES_GPC is open or not, no more stripslashes () processing is required after reading the data, because the data is not added with the additional backslash when saving.
MAGIC_QUOTES_GPC Summary
1. Treatment method
Method One: If the system environment does not open MAGIC_QUOTES_GPC, the data submitted to addslashes () processing.
Method Two: If the system environment is turned on MAGIC_QUOTES_GPC, the submitted data is stripslashes () processed, and finally the data is htmlspecialchars () processed to remove those special symbols.
2, the best method as the brother said, the simple storage directly addslashed () after the storage on it; If you need to do more complex processing of strings before warehousing, it is generally necessary to first remove the MAGIC_QUOTES_GPC automatically added backslash, and then string processing, After processing, then addslashed () or htmlspecialchars () processing, the last storage. Although this is generally the case, it is still based on the practical flexibility to adopt the method.
2012-10-21 Update
The best way is to remove the MAGIC_QUOTES_GPC automatically added backslash, and then in the database operation class to put all the warehousing operations First addslashed (), and then storage
Now, let's see what the official operation says.
Let's see what the manual says!
For the average person, look at the first two paragraphs.
Magic Quotes
Code:
Magic Quotes is a process this automagically escapes incoming data to the PHP script. It's preferred to code with magic quotes off and to instead escape the data at runtime, as needed.
What is Magic Quotes
Code:
When on, all ' (Single-quote), "(double quote), (backslash) and NULL characters is escaped with a backslash automaticall Y. Identical to what addslashes () does.
There is three magic quote directives:
Magic_quotes_gpc
Code:
Affects HTTP Request data (GET, POST, and COOKIE). Cannot is set at runtime, and defaults to on PHP.
Magic_quotes_runtime
Code:
If enabled, most functions this return data from an external source, including databases and text files, would have quotes Escaped with a backslash. Can is set at runtime, and defaults to off in PHP.
Magic_quotes_sybase
Code:
If enabled, a single-quote is escaped with a single-quote instead of a backslash. If on, it completely overrides MAGIC_QUOTES_GPC. Have both directives enabled means only a single quotes is escaped as ". Double quotes, backslashes and NULL s would remain untouched and unescaped.
Why use Magic Quotes
1 Useful for Beginners
Magic quotes is implemented in PHP to help code written by beginners from being dangerous. Although SQL injection is still possible with magic quotes on, and the risk is reduced.
2Convenience
For inserting data to a database, magic quotes essentially runs Addslashes () on all Get, Post, and Cookie data, and does So automagically.
Why don't use Magic Quotes
1 portability
Code:
Assuming it to is on, or off, affects portability. Use GET_MAGIC_QUOTES_GPC () to check for this, and code accordingly.
2 Performance
Code:
Because not every piece of escaped data are inserted into a database, there are a performance loss for escaping all this dat A. Simply calling on the escaping functions (like addslashes ()) at runtime are more efficient.
Although php.ini-dist enables these directives by default, php.ini-recommended disables it. This recommendation are mainly due to performance reasons.
3 inconvenience
Code:
Because not all data needs escaping, it's often annoying to see escaped data where it shouldn ' t is. For example, emailing from a form, and seeing a bunch of ' within the email. To fix, this could require excessive use of stripslashes ().
These English really need to like me this kind of people have enough patience ah (not to say I have patience, but my English rotten), just said, for the average person only look at the first two paragraphs can be, especially I use red marked out the word!!!
Cases
Get_magic_quotes_gpc
Gets the value of the PHP environment variable MAGIC_QUOTES_GPC.
Syntax: Long get_magic_quotes_gpc (void);
Return value: Long integer
Function type: PHP system functions
Content Description
This function obtains the variable MAGIC_QUOTES_GPC (GPC, Get/post/cookie) value set by the PHP environment. Returning 0 means turning off this function, and returning 1 indicates that this function is turned on. When MAGIC_QUOTES_GPC is turned on, all the ' (single quotes), ' (double quotes), ' (backslash) and null characters are automatically converted to the overflow character that contains the backslash.
Addslashes--use a backslash to reference a string
Describe
String addslashes (String str)
Returns a string that is preceded by a backslash in order for the database query statement to be preceded by some characters. These characters are single quotes ('), double quotation marks ("), backslashes ('), and NUL (the NULL character).
An example of using addslashes () is when you want to enter data into the database. For example, the name O ' Reilly is inserted into the database, which needs to be escaped. Most databases use the ' ' as escape character: O ' ' Reilly. This allows the data to be placed in the database without inserting additional '. When PHP instruction Magic_quotes_sybase is set to ON, it means that the insert ' will be used ' to escape.
By default, PHP instruction MAGIC_QUOTES_GPC is on, and it is primarily for all GET, POST, and COOKIE data automatically run Addslashes (). Do not use Addslashes () for strings that have been MAGIC_QUOTES_GPC escaped, because this results in double-layer escaping. You can use the function GET_MAGIC_QUOTES_GPC () to detect this situation.
Example 1. Addslashes () example
The code is as follows |
Copy Code |
$str = "Is your name O ' Reilly?"; Output: Is your name O ' ' Reilly? echo addslashes ($STR); ?> |
GET_MAGIC_QUOTES_GPC ()
This function obtains the PHP environment configuration variable MAGIC_QUOTES_GPC (GPC, Get/post/cookie) value. Returns 0 to turn off this function; return 1 indicates that this function is turned on. When MAGIC_QUOTES_GPC is turned on, all the ' (single quotes), "(double quotes), ' (backslash) and null characters are automatically converted to the overflow character containing the backslash.
The code is as follows |
Copy Code |
function html ($STR) { $str = GET_MAGIC_QUOTES_GPC () $str: Addslashes ($STR); return $str; } |
Summarized as follows:
1. In the case of PHP magic_quotes_gpc=on,
We can not make the string data of the input and output database
Addslashes () and Stripslashes (), the data will also be displayed normally.
If you do a addslashes () processing of the input data at this time,
Then you must use Stripslashes () to remove the extra backslash when outputting.
2. In the case of PHP Magic_quotes_gpc=off
The input data must be processed using addslashes (), but does not require the use of stripslashes () to format the output
Because Addslashes () did not write the backslash to the database, it only helped MySQL complete the execution of the SQL statement.
http://www.bkjia.com/PHPjc/445614.html www.bkjia.com true http://www.bkjia.com/PHPjc/445614.html techarticle MAGIC_QUOTES_GPC method is based on your php.ini configuration, if you open the MAGIC_QUOTES_GPC to generate, his role and addslashes is the same, let me give a detailed introduction about Magic_ ...