Read the Thinksaas part of the source code, found that the $_post/$_get over the data processing method is through the function add_s (), that is, the environment by default does not open the MAGIC_QUOTES_GPC, the data submitted to the addslashes () processing.
I have been puzzled by MAGIC_QUOTES_GPC, and I have also had a correct relationship with MAGIC_QUOTES_GPC's article "MAGIC_QUOTES_GPC and Addslashes ()." , now to talk about this problem, is to thoroughly understand this thing, I have in the Thinksaas website submitted this question, waiting for a reply, I will update the results to this article.
Question 1: Now to read the data is not read after the stripslashes () processing, in order to restore the original data state?
Question 2: I think a lot of other programs are in turn, that is, if the environment is open MAGIC_QUOTES_GPC, the data submitted to the stripslashes () processing, and then the data Htmlspecialchars () Processing to replace those special symbols, I would like to ask this method and Thinksaas processing method which kind of good? I heard that MAGIC_QUOTES_GPC is not open after the default.
Typecho locomotive release interface, I processed the post data is to use the method in question 2, do not know is not the best way?
Stripslashes () processing the data submitted, and then htmlspecialchars the data ()--I don't think there is any merit in this method. It's better than TS. If special site, such as micro-blog format is very small, I see only addslashed () on the line, and then directly to the best storage.
Question 1 No one answered, but I can answer myself here, no matter open MAGIC_QUOTES_GPC, read the data do not need to do stripslashes () processing, because the data did not add additional backslash.
MAGIC_QUOTES_GPC Summary
1, processing methods
Method One: If the system environment does not open MAGIC_QUOTES_GPC, the submitted data will be addslashes () processing.
Method Two: If the system environment opens MAGIC_QUOTES_GPC, stripslashes () processing the data submitted, and finally the data is Htmlspecialchars () to remove those special symbols.
2, the best way, as the brother said, simple warehousing directly addslashed () after the storage can be, if you need to the string for more complex processing and then warehousing, the general need to remove MAGIC_QUOTES_GPC automatically added backslash, and then the string processing, After processing, then addslashed () or htmlspecialchars () processing, the final storage. Although this is generally the case, it still has to be based on practical flexibility to adopt methods.
2012-10-21 Day Update
The best way is: Remove the MAGIC_QUOTES_GPC automatically added backslash, and then in the database operation class all the storage operations first addslashed (), and then warehousing
Now let's see what the official operation says.
Let's see what the manual says!
For the average person, just take a look at the first two paragraphs.
Magic Quotes
Code:
Magic Quotes is a process this automagically escapes incoming data to the PHP script. It's preferred to code with magic quotes off and to instead escape the data at runtime, as needed.
What are Magic quotes
Code:
When in, all ' (Single-quote), "(double quote), (backslash) and NULL characters are escaped with a backslash automaticall Y. This is identical to what addslashes () does.
There are three magic quote directives:
Magic_quotes_gpc
Code:
Affects HTTP Request data (GET, POST, and COOKIE). Cannot is set at runtime, and defaults into in PHP.
Magic_quotes_runtime
Code:
If enabled, most functions that return data from external source, including databases and text files, 'll have quotes Escaped with a backslash. Can is set at runtime, and defaults to out in PHP.
Magic_quotes_sybase
Code:
If enabled, a single-quote is escaped with a single-quote instead of a backslash. If on, it completely overrides MAGIC_QUOTES_GPC. Having both directives is enabled means only a single quotes are as '. Double quotes, backslashes and NULL ' s would remain untouched and unescaped.
Why Use Magic Quotes
1 Useful for Beginners
Magic quotes are implemented in PHP to help code written by beginners from being. Although SQL injection is still possible to magic on, the quotes is risk.
2Convenience
For inserting data into a database, magic quotes essentially runs Addslashes () to all get, Post, and Cookie data, and does So automagically.
Why not to use Magic quotes
1 portability
Code:
Assuming it to is on, or off, affects portability. Use GET_MAGIC_QUOTES_GPC () to check for this, and code accordingly.
2 Performance
Code:
Because not every piece of escaped the data is inserted to a database, there is a performance loss to escaping all this dat A. Simply calling on the escaping functions (like addslashes ()) at runtime is more efficient.
Although php.ini-dist enables these directives by default, php.ini-recommended disables it. This recommendation was mainly due to performance reasons.
3 inconvenience
Code:
Because not all data needs escaping, it's often annoying to the escaped data where it shouldn ' t be. For example, emailing from a form, and seeing a bunch of ' within ' email. To fix, the may require excessive the use of stripslashes ().
These English really need like me such people have enough patience ah (not to say that I have patience, but my English rotten), just said, for the general people only look at the first two paragraphs on it, especially the words I marked with red!!!
Cases
Get_magic_quotes_gpc
Gets the value of the PHP environment variable MAGIC_QUOTES_GPC.
Syntax: Long get_magic_quotes_gpc (void);
Return value: Long integer
Types of functions: PHP system Features
Content Description
This function obtains the PHP environment set Variable MAGIC_QUOTES_GPC (GPC, Get/post/cookie) value. Return 0 To turn off this feature; return 1 indicates this feature is turned on. When the MAGIC_QUOTES_GPC is open, all & #39; (single quotes), "(double quotes)," (backslash) and null characters are automatically converted to overflow characters that contain backslashes.
Addslashes--referencing strings using backslashes
Describe
String addslashes (String str)
Returns a string that is preceded by a backslash for some characters, such as database query statements. These characters are single quotes (& #39), double quotes ("), Backslashes ("), and NUL (NULL characters).
An example of using addslashes () is when you are entering data into a database. For example, inserting a name o& #39 Reilly into a database requires that it be escaped. Most databases use ' as escape characters: O ' & #39; This allows the data to be placed in the database without inserting additional '. When the PHP instruction Magic_quotes_sybase is set to ON, it means inserting & #39; will use & #39; Be escaped.
By default, the PHP instruction MAGIC_QUOTES_GPC is on, and it automatically runs Addslashes () for all get, POST, and COOKIE data. Do not use Addslashes () on strings that have been escaped by MAGIC_QUOTES_GPC, because this can result in a double escape. You can use the function GET_MAGIC_QUOTES_GPC () for instrumentation when this situation is encountered.
Example 1. Addslashes () example
The code is as follows |
Copy Code |
$str = "Is your name o& #39; Reilly?"; Output: Is your name O ' & #39 Reilly? echo addslashes ($STR); ?> |
GET_MAGIC_QUOTES_GPC ()
This function obtains the PHP environment configuration variable MAGIC_QUOTES_GPC (GPC, Get/post/cookie) value. A return of 0 indicates that this feature is turned off; 1 indicates that this feature is turned on. When MAGIC_QUOTES_GPC is open, all & #39; (single quotes), "(double quotes)," (backslash) and null characters are automatically converted to overflow characters that contain backslashes.
The code is as follows |
Copy Code |
function html ($STR) { $str = GET_MAGIC_QUOTES_GPC () $str: Addslashes ($STR); return $str; } |
Summarized as follows:
1. In the case of PHP magic_quotes_gpc=on,
We can not make string data for input and output databases
Addslashes () and Stripslashes (), the data is also displayed correctly.
If you addslashes () the input data at this time,
Then you must use Stripslashes () in the output to remove the extra backslash.
2. For PHP Magic_quotes_gpc=off
You must use Addslashes () to process the input data, but you do not need to use stripslashes () to format the output
Because Addslashes () did not write the backslash to the database, it only helped MySQL complete the execution of the SQL statement.