Understanding and Analysis of PHP magic_quotes_gpc

"The learning process is to constantly discover and correct errors," said blankyao ";

Let's take a look at what I said in the manual!

For average people, just look at the first two paragraphs.

Magic quotes

Code:
Magic quotes is a process that automagically escapes incoming data to the PHP script. It's preferred to code with magic quotes off and to instead escape the data at runtime, as needed.
What are magic quotes

Code:
When on, all' (single-quote), "(double quote), \ (backslash) and null characters are escaped with a backslash automatically. this is identical to what addslashes () does.

There are three magic quote ctictives:
Magic_quotes_gpc

Code:
Affects HTTP request data (get, post, and cookie). cannot be set at runtime, and defaults to on in PHP.
Magic_quotes_runtime

Code:
If enabled, most functions that return data from an external source, including databases and text files, will have quotes escaped with a backslash. can be set at runtime, and defaults to off in PHP.
Magic_quotes_sybase

Code:
If enabled, a single-quote is escaped with a single-quote instead of a backslash. if on, it completely overrides magic_quotes_gpc. having both directives enabled means only single quotes are escaped ''. double quotes, backslashes and null's will remain untouched and unescaped.
Why use magic quotes

1 useful for beginners

Magic quotes are implemented in PHP to help code written by beginners from being dangerous. Although SQL injection is still possible with magic quotes on, the risk is already CED.

2 convenience

For inserting data into a database, magic quotes essential tially runs addslashes () on all get, post, and cookie data, and does so automagically.

Why not to use magic quotes

1 portability

Code:
Assuming it to be on, or off, affects portability. Use get_magic_quotes_gpc () to check for this, and Code accordingly.
2 Performance

Code:
Because not every piece of escaped data is inserted into a database, there is a performance loss for escaping all this data. simply calling on the escaping functions (like addslashes () at runtime is more efficient.

Although PHP. ini-Dist enables these ctictives by default, PHP. ini-recommended disables it. This recommendation is mainly due to performance reasons.
3 inconvenience

Code:
Because not all data needs escaping, it's often annoying to see escaped data where it shouldn't be. for example, emailing from a form, and seeing a bunch of \ 'Within the email. to fix, this may require excessive use of stripslashes ().
These English words really need patience like me (not to say that I am patient, but that I am poor at English, only the first two paragraphs can be viewed by ordinary people, especially the words marked with red !!!

In addition, it is important to note that magic references are used when passing $ _ Get, $ _ post, $ _ cookie

The following is a case

Code:
1.
Condition: magic_quotes_gpc = off
The string written to the database has not been filtered. The strings read from the database are not processed.

Data: bytes $ DATA = "Snow '''sun"; (four consecutive single quotes between snow and Sun ).

Operation: Write the string "Snow ''' sun" to the database,

Result: if an SQL statement error occurs, MySQL cannot complete the SQL statement successfully and fails to write data to the database.

Database storage format: no data.

Output Data Format: no data.

Note: An SQL statement error occurs when unprocessed single quotes are written to the database.

Code:
2.
Condition: magic_quotes_gpc = off
The string written to the database is processed by the addslashes () function. Strings read from the database are not processed.

Data: bytes $ DATA = "Snow '''sun"; (four consecutive single quotes between snow and Sun ).

Operation: Write the string "Snow ''' sun" to the database,

Result: The SQL statement is successfully executed and data is successfully written to the database.

Database storage format: snow ''' Sun (same as input)

Output Data Format: snow ''' Sun (same as input)

Note: The addslashes () function converts single quotation marks to escape characters of \ 'so that the SQL statement is successfully executed,
However, \ 'is not stored in the database as data. The database stores snow''' sun, not the snow \' \ 'Sun.

Code:
3.
Condition: magic_quotes_gpc = on
The string written to the database has not been processed. Strings read from the database are not processed.

Data: bytes $ DATA = "Snow '''sun"; (four consecutive single quotes between snow and Sun ).

Operation: Write the string "Snow ''' sun" to the database,

Result: The SQL statement is successfully executed and data is successfully written to the database.

Database storage format: snow ''' Sun (same as input)

Output Data Format: snow ''' Sun (same as input)

Note: magic_quotes_gpc = on converts single quotes to \ 'escape characters so that the SQL statement is successfully executed,
However, \ 'is not used as data into the database. The database stores snow''' sun, rather than snow \' \ 'Sun.

Code:
4.
Condition: magic_quotes_gpc = on
The string written to the database is processed by the addlashes () function. Strings read from the database are not processed.

Data: bytes $ DATA = "Snow '''sun"; (four consecutive single quotes between snow and Sun ).

Operation: Write the string "Snow ''' sun" to the database,

Result: The SQL statement is successfully executed and data is successfully written to the database.

Database storage format: snow \ 'Sun (escape characters added)

Output Data Format: snow \ 'Sun (escape characters added)

Note: magic_quotes_gpc = on converts single quotes to \ 'escape characters so that the SQL statement is successfully executed,
Addslashes converts the single quotation marks (\) to be written into the database, and the latter conversion is written as data.
Database. The database stores snow \ '\ 'Sun
Summary:

1. For magic_quotes_gpc = on,

We may not use the string data of the input or output database
The operation of addslashes () and stripslashes () will also display the data normally.

If you perform addslashes () processing on the input data,
In this case, you must use stripslashes () to remove unnecessary backslash.

2. magic_quotes_gpc = off

You must use addslashes () to process the input data, but you do not need to use stripslashes () to format the output.
Because addslashes () does not write the backslash together into the database, it only helps MySQL to complete SQL statement execution.

Supplement:

magic_quotes_gpc: Web Client Server; Time: Request start, for example, when the script is running.
magic_quotes_runtime: The data read from the file, the exec () execution result, or the result obtained from the SQL query. The validity period is as follows: each time the script accesses the data generated in the running status