Instructions for using the php get_magic_quotes_gpc() function

get_magic_quotes_gpcThe function is used to determine whether to add slashes to the data provided by the user. This is in the php.iniconfig file. This article will introduce get_magic_quotes_gpc() Function description. Let's take a look at it with the editor

The get_magic_quotes_gpc function is used to determine whether to add slashes to the data provided by the user. This is in the php.ini configuration file. Let me introduce get_magic_quotes_gpc( ) Function description.

get_magic_quotes_gpc function introduction

Get the value of the PHP environment variable magic_quotes_gpc, which is a PHP system function.

Syntax: long get_magic_quotes_gpc(void);

Return value: long integer

This function obtains the value of the variable magic_quotes_gpc (GPC, Get/Post/Cookie) of the PHP environment configuration . Returning 0 means turning off this function; returning 1 means turning this function on.

When magic_quotes_gpc is turned on, all ' (single quotes), ” (double quotes), (backslashes) and null characters will automatically be converted to overflow characters containing backslashes.

magic_quotes_gpc Sets whether to automatically add backslashes to '" in the data sent by GPC (get, post, cookie). You can use get_magic_quotes_gpc() to detect system settings.

If this setting is not turned on, you can use the addslashes() function to add it. Its function is to add backslashes before certain characters when required in database query statements.

These characters are single quotes ('), double quotes ("), backslash () and NUL (NULL character).

By default, the PHP instruction magic_quotes_gpc is on, it Mainly to automatically run addslashes() on all GET, POST and COOKIE data.

Do not use addslashes() on strings that have been escaped by magic_quotes_gpc, because this will cause double-level escaping. In this case, you can use the function get_magic_quotes_gpc() for detection

Example

The correct way to use get_magic_quotes_gpc() to prevent database attacks##.

#The code is as follows

<?php
function check_input($value)
{
// 去除斜杠
if (get_magic_quotes_gpc())
{
$value = stripslashes($value);
}
// 如果不是数字则加引号
if (!is_numeric($value))
{
$value = “‘” . mysql_real_escape_string($value) . “‘”;
}
return $value;
}
$con = mysql_connect(“localhost”, “hello”, “321″);
if (!$con)
{
die(‘Could not connect: ‘ . mysql_error());
}
// 进行安全的 SQL
$user = check_input($_POST[&#39;user&#39;]);
$pwd = check_input($_POST[&#39;pwd&#39;]);
$sql = “SELECT * FROM users WHERE
user=$user AND password=$pwd”;
mysql_query($sql);
mysql_close($con);
?>

The summary is as follows:

##1. For the case of magic_quotes_gpc=on,

We can not perform

addslashes() and stripslashes() operations on the string data of the input and output databases, and the data will be displayed normally

If you do this at this time. The input data has been processed by addslashes(),

then you must use stripslashes() to remove excess backslashes when outputting

2. For magic_quotes_gpc=off. Situation

You must use addslashes() to process the input data, but you do not need to use stripslashes()

Format the output

Because addslashes() does not Writing the backslashes together into the database just helps mysql complete the execution of the sql statement

The above is the detailed content of Instructions for using the php get_magic_quotes_gpc() function. For more information, please follow other related articles on the PHP Chinese website!