Solve SQL injection backslash with PHP function

What are magic quotes

When turned on, all ' (single quote), " (double quote), (backslash) and NULL characters will be automatically escaped with a backslash. This is the same as addslashes( ) have the same effect.

There are three magic quote instructions:

magic_quotes_gpc affects HTTP request data (GET, POST and COOKIE). The default value is on in PHP.

magic_quotes_runtime If turned on, the data returned by most functions that obtain data from external sources, including from databases and text files, will be backslash-escaped. This option can be changed at runtime in PHP. The default value is off. See set_magic_quotes_runtime() and get_magic_quotes_runtime().

magic_quotes_sybase, if turned on, will use single quotes instead of backslashes. This option completely overrides magic_quotes_gpc if it is also turned on. With two options, single quotes will be escaped as ''. Double quotes, backslashes and NULL characters will not be escaped. See ini_get() for how to get their values ​​- use addslashes. Backslash quoted string

Explanation

string addslashes (string $str)

Returns a string that has a backslash in front of certain characters for database query statements, etc. These characters are single characters. Quotation marks ('), double quotation marks ("), backslash () and NUL (NULL character).

An example of using addslashes() is when you want to enter data into the database. For example, inserting the name O'reilly into the database requires escaping it. Most databases use as escape character: O'reilly. This puts the data into the database without inserting extra . When the PHP directive magic_quotes_sybase is set to on , it means that ' will be escaped when inserting ' .

By default, the PHP instruction magic_quotes_gpc is on, which mainly automatically runs addslashes() on all GET, POST and COOKIE data. Do not use addslashes() on strings that have been escaped by magic_quotes_gpc as this will result in double escaping. When encountering this situation, you can use the function get_magic_quotes_gpc() to detect it.

stripslashes

(PHP 4, PHP 5)

stripslashes — Un-quote string quoted with addslashes()

Explanation

string stripslashes ( string $str )

Un-quotes a quoted string.

Note: If magic_quotes_sybase is on, no backslashes are stripped off but two apostrophes are replaced by one instead.

The SQL injection issue has been a hot topic on ASP? The famous PHP program at home and abroad was "distressed". As for the details of SQL injection, there are too many articles on the Internet, so I won’t introduce them here.

If magic_quotes_gpc in the php.ini file of your website space is set to off, then PHP will not add a backslash () before sensitive characters, because the content submitted by the form may contain sensitive characters, such as single quotes (' ), leading to SQL injection vulnerabilities. In this case, we can solve the problem with addslashes(), which automatically adds a backslash before sensitive characters.

However, the above method is only applicable when magic_quotes_gpc=Off. As a developer, you don’t know whether each user’s magic_quotes_gpc is On or Off. If all data is used with addslashes(), isn’t that “killing innocent people indiscriminately”? If magic_quotes_gpc=On, and the addslashes() function is used, let's take a look:

//If a variable $_POST['message'] is submitted from the form, the content is Tom's book
/ /Here is the code to connect to the MySQL database, write it yourself
//Add a backslash before the sensitive character in $_POST['message']

$_POST['message'] = addslashes($_POST['message' ]);

//Since magic_quotes_gpc=On, add a backslash before sensitive characters again
$sql = "INSERT INTO msg_table VALUE('$_POST[message]');";

//Send request , save the content into the database
$query = mysql_query($sql);

//If you extract this record from the database and output it, you will see Tom's book
?>

In this case, in magic_quotes_gpc =On environment, all input single quotes (') will become (')...
In fact, we can easily solve this problem using the get_magic_quotes_gpc() function. When magic_quotes_gpc=On, this function returns TRUE; when magic_quotes_gpc=Off, it returns FALSE. At this point, many people must have realized that the problem has been solved. Please see the code:

//If magic_quotes_gpc=Off, then add backslashes to the sensitive characters in $_POST['message'] submitted in the bill of lading
//If magic_quotes_gpc=On, do not add
if ( !get_magic_quotes_gpc()) {
$_POST['message'] = addslashes($_POST['message']);
} else {}
?>

In fact, at this point, the problem has been solved. Here’s another little trick.
Sometimes there is more than one variable submitted in the form, there may be more than a dozen or dozens of variables. So is it a little troublesome to copy/paste addslashes() again and again? Since the data obtained from the form or URL all appear in the form of arrays, such as $_POST, $_GET)?Ｄ蔷多元ㄒ怡湓鹹肖yuAngrongㄇЬ?” function:

function quotes($content)
{
//If magic_quotes_gpc=Off, then start processing
if (!get_magic_quotes_gpc()) {
//Determine whether $content is an array
if (is_array($content)) {
/ /If $content is an array, then process each element of it
foreach ($content as $key=>$value) {
$content[$key] = addslashes($value);
}
} else {
//If $content is not an array, then it will only be processed once
addslashes($content);
}
} else {
//If magic_quotes_gpc=On, then it will not be processed
}
//Return $content
return $content;
}
?>