A little understanding and analysis of php magic_quotes_gpc_PHP tutorial

blankyao said, “The process of learning is to constantly discover mistakes and constantly correct them”;

Let’s take a look at what the manual says first!

For ordinary people, just read the first two paragraphs

Magic Quotes

Code:
Magic Quotes is a process that automatically escapes incoming data to the PHP script. It's preferred to code with magic quotes off and to instead escape the data at runtime, as needed.
What are Magic Quotes


Code:
When on, all ' (single -quote), " (double quote), (backslash) and NULL characters are escaped with a backslash automatically. This is identical to what addslashes() does.

There are three magic quote directives:
magic_quotes_gpc

Code:
Affects HTTP Request data (GET, POST, and COOKIE). Cannot be set at runtime, and defaults to on in PHP.
magic_quotes_runtime

Code:
If enabled, most functions that return data from an external source, including databases and text files, will have quotes escaped with a backslash. Can be set at runtime, and defaults to off in PHP.
magic_quotes_sybase

Code:
If enabled, a single-quote is escaped with a single-quote instead of a backslash. If on, it completely overrides magic_quotes_gpc. Having both directives enabled means only single quotes are escaped as ''. Double quotes , backslashes and NULL's will remain untouched and unescaped.
Why use Magic Quotes




1　Useful for beginners

Magic quotes are implemented in PHP to help code written by beginners from being dangerous. Although SQL Injection is still possible with magic quotes on, the risk is reduced.

２Convenience

For inserting data into a database, magic quotes essentially runs addslashes( ) on all Get, Post, and Cookie data, and does so automatically.


Why not to use Magic Quotes




1 >
Code:
Assuming it to be on, or off, affects portability. Use get_magic_quotes_gpc() to check for this, and code accordingly.
２　Performance

Code:
Because not every piece of escaped data is inserted into a database, there is a performance loss for escaping all this data. Simply calling on the escaping functions (like addslashes()) at runtime is more efficient.

Although php .ini-dist enables these directives by default, php.ini-recommended disables it. This recommendation is mainly due to performance reasons.
３　Inconvenience

Code:
Because not all data needs escaping, it's often annoying to see escaped data where it shouldn't be. For example, emailing from a form, and seeing a bunch of ' within the email. To fix, this may require excessive use of stripslashes().
These English It really requires people like me to have enough patience (not that I have patience, but my English is bad). As I said just now, for ordinary people, just read the first two paragraphs, especially the ones I marked in red. Words come out! ! !

In addition, special note is that the magic reference takes effect when $_GET, $_POST, $_COOKIE is passed

The following is the case

Code:
1 .
Condition: magic_quotes_gpc=off
The string written to the database is not filtered. The string read from the database is not processed in any way.

Data: $data="snow''''sun"; (There are four consecutive single quotes between snow and sun).

Operation: Change the string: "snow' '''sun" is written to the database,

Result: SQL statement error occurs, mysql cannot successfully complete the SQL statement, and writing to the database fails.

Database saving format: No data.

Output data format: No data.

Note: Unprocessed single quotes will cause SQL statement errors when written to the database.

Code:
2.
Condition: magic_quotes_gpc=off
The string written to the database is processed by the function addslashes(). The string read from the database is not processed in any way.

Data: $data="snow''''sun"; (There are four consecutive single quotes between snow and sun).

Operation: Change the string: "snow' '''sun" is written to the database,

Result: The sql statement is executed smoothly and the data is successfully written to the database

Database saving format: snow''''sun (same as input)

Output data format: snow''''sun (same as input)

Explanation: The addslashes() function converts single quotes into ' escape characters so that the sql statement can be executed successfully,
But it is not stored in the database as data. The database saves snow''''sun and not the snow''''sun we imagined.

Code:
3.
Conditions: magic_quotes_gpc=on
The string written to the database is not processed in any way. The string read from the database is not processed in any way.

Data: $data="snow''''sun"; (There are four consecutive single quotes between snow and sun).

Operation: Change the string: "snow' '''sun" is written to the database,

Result: The sql statement is executed smoothly and the data is successfully written to the database

Database saving format: snow''''sun (same as input)

Output data format: snow''''sun (same as input)

Description: magic_quotes_gpc=on converts single quotes into ' escape characters to make the sql statement execute successfully,
but ' is not entered into the database as data. The database saves snow''''sun and not the snow''''sun we imagined.

Code:
4.
Condition: magic_quotes_gpc=on
The string written to the database is processed by the function addlashes(). The string read from the database is not processed in any way.

Data: $data="snow''''sun"; (There are four consecutive single quotes between snow and sun).

Operation: Change the string: "snow' '''sun" is written to the database,

Result: The sql statement is executed smoothly and the data is successfully written to the database

Database saving format: snow''''sun (escape characters added)

Output data format: snow''''sun (escape characters added)

Description: magic_quotes_gpc=on converts single quotes into 'escape characters so that the sql statement can be executed successfully,
addslashes converts the single quotes that are about to be written into the database into ', and the latter conversion is written into the
database as data. The database saves snow''''sun
The summary is as follows:

1. For the case where magic_quotes_gpc=on,

we can not perform
addslashes() and stripslashes() operations on the string data input and output from the database, and the data will be displayed normally.

If you perform addslashes() on the input data at this time,
then you must use stripslashes() to remove excess backslashes when outputting.

2. For the case of magic_quotes_gpc=off

must use addslashes() to process the input data, but there is no need to use stripslashes() to format the output
because addslashes() does not The backslash is not written to the database, it just helps mysql complete the execution of the sql statement.

Supplementary:

magic_quotes_gpc Scope of action: WEB client server; Action time: When the request starts, such as when the script is running.
magic_quotes_runtime scope: data read from a file or the result of executing exec() or obtained from a SQL query; action time: every time the script accesses data generated in the running state

http://www.bkjia.com/PHPjc/319284.htmlwww.bkjia.comtruehttp: //www.bkjia.com/PHPjc/319284.htmlTechArticleblankyao said, “The process of learning is to constantly discover mistakes and constantly correct them”; First, let’s take a look at the manual. Just say it! For ordinary people, just read the first two paragraphs Magic Quot...