Home > Article > Backend Development > Correctly understand the true meaning of PHP escaping_PHP tutorial
Correctly understand the true meaning of PHP escaping_PHP tutorial
- WBOYOriginal
- 2016-07-15 13:32:25742browse
How to correctly understand
There is a "magic quote" switch by default in PHP. If this switch is turned on, $_GET, $_GET transferred from the outside , $COOKIE will be escaped by PHP.
For example:
http://localhost/test.PHP?test=1'
and then automatically escaped when test.PHP is output, The output is as follows:
var_dump($_GET['test'];
========output=======
string(3) "1 '"
" has been escaped. But there is a problem. When this value is output to a web page, the screen will fill up. Another function can be used here, stripslashes can Remove.
The PHP escaping in the manual means that it is recommended not to enable "magic quotes" because of efficiency issues. However, this also has an advantage, that is, it is very safe for a novice like me.
There are three ways to close "magic quotes", because this cannot be closed when PHP is running, that is to say, ini_set() cannot be used.
1. Set PHP.ini.
magic_quotes_gpc = Off
magic_quotes_runtime = Off
magic_quotes_sybase = Off
2. If the system cannot be modified, you can use .htaccess
PHP_flag magic_quotes_gpc Off
3. Efficiency The lowest PHP escaping method
<ol class="dp-xml">
<li class="alt"><span><span>if (get_magic_quotes_gpc()) { </span></span></li>
<li><span>function stripslashes_deep($value) </span></li>
<li class="alt"><span>{ </span></li>
<li>
<span>$</span><span class="attribute">value</span><span> = </span><span class="attribute-value">is_array</span><span>($value) ? </span>
</li>
<li class="alt"><span>array_map('stripslashes_deep', $value) : </span></li>
<li><span>stripslashes($value); </span></li>
<li class="alt"><span>return $value; </span></li>
<li><span>} </span></li>
<li class="alt">
<span>$</span><span class="attribute">_POST</span><span> = </span><span class="attribute-value">array_map</span><span>('stripslashes_deep', $_POST); </span>
</li>
<li>
<span>$</span><span class="attribute">_GET</span><span> = </span><span class="attribute-value">array_map</span><span>('stripslashes_deep', $_GET); </span>
</li>
<li class="alt">
<span>$</span><span class="attribute">_COOKIE</span><span> = </span><span class="attribute-value">array_map</span><span>('stripslashes_deep', $_COOKIE); </span>
</li>
<li><span>} </span></li>
<li class="alt">
<span class="tag">?></span><span> </span>
</li>
</ol>
Here is another thing to mention about the processing of % when there is LIKE in the SQL statement, because addslashes does not escape %_. And these two characters do not need to be escaped in other SQL statements, so I compiled a function like_esc($value), which is only used when there is a LIKE statement.
For output to the web page first When using stripslashes, you also need to use htmlspecialchars to escape.
I now have a relatively lazy PHP escaping method that escapes everything transferred.
<ol class="dp-xml">
<li class="alt"><span><span>if (!get_magic_quotes_gpc()) { </span></span></li>
<li><span>function addslashes_deep($value) </span></li>
<li class="alt"><span>{ </span></li>
<li>
<span>$</span><span class="attribute">value</span><span> = </span><span class="attribute-value">is_array</span><span>($value) ? array_map('addslashes_deep', $value) : addslashes($value); </span>
</li>
<li class="alt"><span>return $value; </span></li>
<li><span>} </span></li>
<li class="alt">
<span>$</span><span class="attribute">_POST</span><span> = </span><span class="attribute-value">array_map</span><span>('addslashes_deep', $_POST); </span>
</li>
<li>
<span>$</span><span class="attribute">_GET</span><span> = </span><span class="attribute-value">array_map</span><span>('addslashes_deep', $_GET); </span>
</li>
<li class="alt">
<span>$</span><span class="attribute">_COOKIE</span><span> = </span><span class="attribute-value">array_map</span><span>('addslashes_deep', $_COOKIE); </span>
</li>
<li><span>} </span></li>
</ol>