Some usages of MAGIC_QUOTES_GPC functions in PHP

Source: Internet
Author: User
Tags http request ini php script sql injection types of functions

Read the Thinksaas part of the source code, found that the $_post/$_get over the data processing method is through the function add_s (), that is, the environment by default does not open the MAGIC_QUOTES_GPC, the data submitted to the addslashes () processing.

I have been puzzled by MAGIC_QUOTES_GPC, and I have also had a correct relationship with MAGIC_QUOTES_GPC's article "MAGIC_QUOTES_GPC and Addslashes ()." , now to talk about this problem, is to thoroughly understand this thing, I have in the Thinksaas website submitted this question, waiting for a reply, I will update the results to this article.
Question 1: Now to read the data is not read after the stripslashes () processing, in order to restore the original data state?

Question 2: I think a lot of other programs are in turn, that is, if the environment is open MAGIC_QUOTES_GPC, the data submitted to the stripslashes () processing, and then the data Htmlspecialchars () Processing to replace those special symbols, I would like to ask this method and Thinksaas processing method which kind of good? I heard that MAGIC_QUOTES_GPC is not open after the default.

Typecho locomotive release interface, I processed the post data is to use the method in question 2, do not know is not the best way?

Stripslashes () processing the data submitted, and then htmlspecialchars the data ()--I don't think there is any merit in this method. It's better than TS. If special site, such as micro-blog format is very small, I see only addslashed () on the line, and then directly to the best storage.
Question 1 No one answered, but I can answer myself here, no matter open MAGIC_QUOTES_GPC, read the data do not need to do stripslashes () processing, because the data did not add additional backslash.

MAGIC_QUOTES_GPC Summary

1, processing methods

Method One: If the system environment does not open MAGIC_QUOTES_GPC, the submitted data will be addslashes () processing.
Method Two: If the system environment opens MAGIC_QUOTES_GPC, stripslashes () processing the data submitted, and finally the data is Htmlspecialchars () to remove those special symbols.

2, the best way, as the brother said, simple warehousing directly addslashed () after the storage can be, if you need to the string for more complex processing and then warehousing, the general need to remove MAGIC_QUOTES_GPC automatically added backslash, and then the string processing, After processing, then addslashed () or htmlspecialchars () processing, the final storage. Although this is generally the case, it still has to be based on practical flexibility to adopt methods.

2012-10-21 Day Update

The best way is: Remove the MAGIC_QUOTES_GPC automatically added backslash, and then in the database operation class all the storage operations first addslashed (), and then warehousing


Now let's see what the official operation says.


Let's see what the manual says!

For the average person, just take a look at the first two paragraphs.

Magic Quotes

Code:
Magic Quotes is a process this automagically escapes incoming data to the PHP script. It's preferred to code with magic quotes off and to instead escape the data at runtime, as needed.
What are Magic quotes


Code:
When in, all ' (Single-quote), "(double quote), (backslash) and NULL characters are escaped with a backslash automaticall Y. This is identical to what addslashes () does.

There are three magic quote directives:
Magic_quotes_gpc

Code:
Affects HTTP Request data (GET, POST, and COOKIE). Cannot is set at runtime, and defaults into in PHP.
Magic_quotes_runtime

Code:
If enabled, most functions that return data from external source, including databases and text files, 'll have quotes Escaped with a backslash. Can is set at runtime, and defaults to out in PHP.
Magic_quotes_sybase

Code:
If enabled, a single-quote is escaped with a single-quote instead of a backslash. If on, it completely overrides MAGIC_QUOTES_GPC. Having both directives is enabled means only a single quotes are as '. Double quotes, backslashes and NULL ' s would remain untouched and unescaped.
Why Use Magic Quotes


1 Useful for Beginners

Magic quotes are implemented in PHP to help code written by beginners from being. Although SQL injection is still possible to magic on, the quotes is risk.

2Convenience

For inserting data into a database, magic quotes essentially runs Addslashes () to all get, Post, and Cookie data, and does So automagically.


Why not to use Magic quotes


1 portability

Code:
Assuming it to is on, or off, affects portability. Use GET_MAGIC_QUOTES_GPC () to check for this, and code accordingly.
2 Performance

Code:
Because not every piece of escaped the data is inserted to a database, there is a performance loss to escaping all this dat A. Simply calling on the escaping functions (like addslashes ()) at runtime is more efficient.

Although php.ini-dist enables these directives by default, php.ini-recommended disables it. This recommendation was mainly due to performance reasons.
3 inconvenience

Code:
Because not all data needs escaping, it's often annoying to the escaped data where it shouldn ' t be. For example, emailing from a form, and seeing a bunch of ' within ' email. To fix, the may require excessive the use of stripslashes ().
These English really need like me such people have enough patience ah (not to say that I have patience, but my English rotten), just said, for the general people only look at the first two paragraphs on it, especially the words I marked with red!!!

Cases

Get_magic_quotes_gpc

Gets the value of the PHP environment variable MAGIC_QUOTES_GPC.

Syntax: Long get_magic_quotes_gpc (void);

Return value: Long integer

Types of functions: PHP system Features

Content Description


This function obtains the PHP environment set Variable MAGIC_QUOTES_GPC (GPC, Get/post/cookie) value. Return 0 To turn off this feature; return 1 indicates this feature is turned on. When the MAGIC_QUOTES_GPC is open, all & #39; (single quotes), "(double quotes)," (backslash) and null characters are automatically converted to overflow characters that contain backslashes.

Addslashes--referencing strings using backslashes

Describe
String addslashes (String str)

Returns a string that is preceded by a backslash for some characters, such as database query statements. These characters are single quotes (& #39), double quotes ("), Backslashes ("), and NUL (NULL characters).

An example of using addslashes () is when you are entering data into a database. For example, inserting a name o& #39 Reilly into a database requires that it be escaped. Most databases use ' as escape characters: O ' & #39; This allows the data to be placed in the database without inserting additional '. When the PHP instruction Magic_quotes_sybase is set to ON, it means inserting & #39; will use & #39; Be escaped.

By default, the PHP instruction MAGIC_QUOTES_GPC is on, and it automatically runs Addslashes () for all get, POST, and COOKIE data. Do not use Addslashes () on strings that have been escaped by MAGIC_QUOTES_GPC, because this can result in a double escape. You can use the function GET_MAGIC_QUOTES_GPC () for instrumentation when this situation is encountered.

Example 1. Addslashes () example

The code is as follows Copy Code

$str = "Is your name o& #39; Reilly?";

Output: Is your name O ' & #39 Reilly?
echo addslashes ($STR);
?>

GET_MAGIC_QUOTES_GPC ()
This function obtains the PHP environment configuration variable MAGIC_QUOTES_GPC (GPC, Get/post/cookie) value. A return of 0 indicates that this feature is turned off; 1 indicates that this feature is turned on. When MAGIC_QUOTES_GPC is open, all & #39; (single quotes), "(double quotes)," (backslash) and null characters are automatically converted to overflow characters that contain backslashes.

The code is as follows Copy Code

function html ($STR) {
$str = GET_MAGIC_QUOTES_GPC () $str: Addslashes ($STR);
return $str;
}

Summarized as follows:

1. In the case of PHP magic_quotes_gpc=on,

We can not make string data for input and output databases
Addslashes () and Stripslashes (), the data is also displayed correctly.

If you addslashes () the input data at this time,
Then you must use Stripslashes () in the output to remove the extra backslash.

2. For PHP Magic_quotes_gpc=off

You must use Addslashes () to process the input data, but you do not need to use stripslashes () to format the output
Because Addslashes () did not write the backslash to the database, it only helped MySQL complete the execution of the SQL statement.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.