Description of get_magic_quotes_gpc() function in php_PHP tutorial

The get_magic_quotes_gpc function is used to determine whether to add slashes to the data provided by the user. This is in the php.ini configuration file. Let me introduce the get_magic_quotes_gpc() function description.

get_magic_quotes_gpc function Introduction

Get the value of PHP environment variable magic_quotes_gpc, which is a PHP system function.
Syntax: long get_magic_quotes_gpc(void);
Return value: long integer
This function obtains the value of the variable magic_quotes_gpc (GPC, Get/Post/Cookie) in the PHP environment configuration. Returning 0 means turning off this function; returning 1 means turning this function on.

When magic_quotes_gpc is turned on, all ‘ (single quote), ” (double quote), (backslash) and null characters will automatically be converted to overflow characters containing backslash.
magic_quotes_gpc sets whether to automatically add a backslash to the '" in the data sent by GPC (get, post, cookie). You can use get_magic_quotes_gpc() to detect the system settings.
If this setting is not turned on, you can use the addslashes() function to add it. Its function is to add backslashes before certain characters when required in database query statements.
These characters are single quote (’), double quote (”), backslash () and NUL (NULL character).
By default, the PHP directive magic_quotes_gpc is on, which mainly automatically runs addslashes() on all GET, POST and COOKIE data.

Do not use addslashes() on strings that have been escaped by magic_quotes_gpc, as this will result in double escaping. When encountering this situation, you can use the function get_magic_quotes_gpc() to detect it.

Example

The correct way to use get_magic_quotes_gpc() to prevent database attacks

$con = mysql_connect(“localhost”, “hello”, “321″); if (!$con)

The code is as follows

代码如下

复制代码

function check_input($value) { // 去除斜杠 if (get_magic_quotes_gpc()) { $value = stripslashes($value); } // 如果不是数字则加引号 if (!is_numeric($value)) { $value = “‘” . mysql_real_escape_string($value) . “‘”; } return $value; } $con = mysql_connect(“localhost”, “hello”, “321″); if (!$con) { die(‘Could not connect: ‘ . mysql_error()); } // 进行安全的 SQL $user = check_input($_POST['user']); $pwd = check_input($_POST['pwd']); $sql = “SELECT * FROM users WHERE user=$user AND password=$pwd”; mysql_query($sql); mysql_close($con); ?>

Copy code

function check_input($value)

{

// Remove slashes

if (get_magic_quotes_gpc())
{

$value = stripslashes($value);

}
// If it is not a number, add quotes

if (!is_numeric($value))

{

$value = “‘” . mysql_real_escape_string($value) . “‘”;

}
return $value;

}

{ die(‘Could not connect: ‘ . mysql_error());

}

// Make secure SQL $user = check_input($_POST['user']); $pwd = check_input($_POST['pwd']); $sql = “SELECT * FROM users WHERE user=$user AND password=$pwd”; mysql_query($sql); mysql_close($con); ?>

The summary is as follows:

1. For magic_quotes_gpc=on,

We can not do anything with the string data of the input and output databases For the operations of addslashes() and stripslashes(), the data will be displayed normally. If you perform addslashes() on the input data at this time, Then you must use stripslashes() to remove excess backslashes when outputting. 2. For the case of magic_quotes_gpc=off You must use addslashes() to process the input data, but you do not need to use stripslashes() to format the output Because addslashes() does not write the backslashes into the database, it just helps mysql complete the execution of the sql statement http://www.bkjia.com/PHPjc/632823.htmlwww.bkjia.comtruehttp: //www.bkjia.com/PHPjc/632823.htmlTechArticleget_magic_quotes_gpc function is used to determine whether to add slashes to the data provided by the user. This is configured in php.ini In the file, let me introduce the get_magic_quotes_gpc() function...