Before writing a php application that is not affected by Magic Quotes: you must read chapter 10th magic quotes from Section IV security in the php Manual ". If you haven't read it, it's okay. now it takes 10 minutes to take a look at this in the php Manual.
Magic quotes are a process of automatically escaping data from PHP scripts.
You may want to make your program compatible with multiple databases, but different databases you use may use different escape characters, and our programs may run in different php. on the ini-configured host, magic_quotes configuration may be different, so writing php applications that are not affected by magic quotes is required for high compatibility php applications.
Php. ini has three magic quotes configuration options:
Magic quotes configuration options |
Description |
Change at runtime |
The default value in PHP is |
Magic_quotes_gpc |
If it is enabled, the HTTP request data (GET, POST, and COOKIE) is affected ). |
No |
On |
Magic_quotes_runtime |
If it is enabled, most of the functions that retrieve data from external sources and return data, including the database and text files, will be escaped by the backslash. (Prerequisite: magic_quotes_gpc = On) |
Yes |
Off |
Magic_quotes_sybase |
When it is disabled, all '(single quotes), "(double quotes),/(backslash) and NULL characters will be automatically added with a backslash to escape. This works exactly the same as addslashes. If it is enabled, single quotes are used to escape single quotes rather than backslash. This option will completely overwrite magic_quotes_gpc. If two options are enabled at the same time, the single quotation marks are converted ''. Double quotation marks, backslash, and NULL characters are not escaped. (Prerequisite: magic_quotes_gpc = On) |
Yes |
Off |
However, it is troublesome to process global variables from the outside.
To process external Super variables, check whether magic_quotes_gpc is enabled. (if magic_quotes_gpc is not enabled, but magic_quotes_sybase is enabled, magic_quotes_sybase does not work.) check whether magic_quotes_sybase is enabled, let's see if our program needs to use addslashes to escape external variables or magic_quotes_sybase to escape external variables. The following code is a specific implementation.
It may be said that when magic_quotes_gpc is set to On and magic_quotes_sybase is set to Off, ini_set ('Magic _ quotes_sybase ', 1) is directly used ); the system can overwrite the escape of the addslashes type. This is not acceptable. You can use the ini_get ('Magic _ quotes_sybase ') output to check the configuration. magic_quotes_sybase is indeed changed, but your code cannot use the 'escape character to overwrite the addslashes-style automatic escape. This is because when the system obtains external variables, it is completed before your ini_set ('Magic _ quotes_sybase ', 1.
/**
* Solve php applications not affected by magic_quotes
*
* To use this method, you need to configure whether to use magic_quotes_sybase to adapt to different DBMS
*
* Setting method:
* $ UseQuotesSybase [Database name] = 1;
* If sqlite is used, $ useQuotesSybase ['sqlite '] = 1 is defined and initialized;
* If mysql is used, you can define and initialize $ useQuotesSybase ['sqlite '] = 0; or not.
*
* CONFIG_DB_DBMS is the constant of the DBMS used and is defined elsewhere. For example, define ('config _ DB_DBMS ', 'mysql ');
*
* @ Author streamline Mengchun cmpan (at) qq.com
* @ Link http://lib.cublog.cn
* $ Date 2007.11.18
*/
Error_reporting (E_ALL );
Set_magic_quotes_runtime (0 );
Define ('config _ DB_DBMS ', 'sqlite'); // used for testing
// The database that uses the escape character
$ UseQuotesSybase = array ();
$ UseQuotesSybase ['sqlite '] = 1;
$ UseQuotesSybase ['sybase '] = 1;
If (! Empty ($ _ POST) $ _ POST = array_map ('quotesoutervars', $ _ POST );
If (! Empty ($ _ GET) $ _ GET = array_map ('quotesoutervars', $ _ GET );
$ _ COOKIE = array_map ('quotesoutervars', $ _ COOKIE );
$ _ REQUEST = array_map ('quotesoutervars', $ _ REQUEST );
Function quotesOuterVars ($ var ){
If (is_array ($ var )){
Return array_map ('quotesoutervars', $ var );
} Else {
If (get_magic_quotes_gpc ()){
If (isset ($ GLOBALS ['usequotessybase'] [CONFIG_DB_DBMS]) & $ GLOBALS ['usequotessybase'] [CONFIG_DB_DBMS]) {
// Use 'as the escape character.
// If magic_quotes_sybase = Off, the system will set the external variable addslashes. we must first set stripslashes
// Otherwise, the system will automatically replace ''',
If (! Ini_get ('Magic _ quotes_sybase ')){
$ Var = stripslashes ($ var );
$ Var = str_replace ("'", "'' ", $ var );
}
} Else {
// The escape character must be "/".
// If magic_quotes_sybase = On, replace ''with 'and
// Otherwise, the system automatically quotes
If (ini_get ('Magic _ quotes_sybase ')){
$ Var = str_replace ("'", "'' ", $ var );
$ Var = addslashes ($ var );
}
}
} Else {
If (isset ($ GLOBALS ['usequotessybase'] [CONFIG_DB_DBMS]) & $ GLOBALS ['usequotessybase'] [CONFIG_DB_DBMS]) {
$ Var = str_replace ("'", "'' ", $ var );
} Else {
$ Var = addslashes ($ var );
}
}
Return trim ($ var );
}
}
From the above table, we can see that for magic_quotes_runtime, I can use ini_set ('Magic _ quotes_runtime ', 0) in the program to turn it off, then you can use your own methods to process data from databases or files.