Home >Backend Development >PHP Tutorial >An in-depth explanation of PHP magic quotes_PHP Tutorial
An in-depth explanation of PHP magic quotes_PHP Tutorial
- WBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOriginal
- 2016-07-21 15:06:241247browse
I checked the manual specifically. Regarding php magic quotes, the common settings are as follows, magic_quotes_gpc, magic_quotes_sybase, magic_quote_runtime. These functions are configured in php.ini. From the manual, it can be seen that from php5. These features have been abolished after version 3, so we strongly advise you not to use them and turn them off in php.ini.
The purpose of these functions is to escape data. When preventing sql injection, many people will write like this:
if(!get_magic_quotes_gpc() ){
$post=addslashes($post);
}
If you enable them, single quotes ('), double quotes ("), Backslash () and NUL (null character) are actually equivalent to calling the addslashes function. You may say that this is not very good, and it is safer, but have you considered code portability? In addition, for the above? Is it necessary for you to escape all the data of gpc ($_GET, $_POST, $_COOKIE)? How much is the overhead? The following is a detailed explanation of Magic Quotes in the manual:
1.magic_quotes_gpc
magic_quotes_gpc is used to set the magic quote status of GPC ($_GET, $_POST, $_COOKIE) (also includes $_ENV in PHP4). When turned on, all single-quote, double quote, backslash and NUL's will be automatically escaped by backslash. When magic_quote_sybase is on, only single-quote. quote) will be escaped by single quotes as '', while double quotes, backslash and NUL's are not affected and will not be escaped.
2.magic_quote_runtime
magic_quote_runtime If this option is turned on, many functions that return external data (database, text) will be backslash escaped. If magic_quote_sybase is also enabled, only single quotes (single-quote) will be escaped by single quotes.
3.magic_quotes_sybase
magic_quotes_sybase If you set this option to enable, when magic_quotes_gpc, magic_quotes_runtime are enabled, single quotes will be transferred by single quotes instead of escaped by backslashes. At the same time, this setting will completely override the setting of magic_quotes_gpc. Even if magic_quotes_gpc is set to on, double quotes ", backslashes and NUL's will not be escaped.
