Detailed explanation of get_magic_quotes_gpc() function in php

The get_magic_quotes_gpc function is used to determine whether to add slashes to the data provided by the user. This is in the php.ini configuration file. This article will introduce the get_magic_quotes_gpc() function description. Let's take a look at it with the editor

The get_magic_quotes_gpc function is used to determine whether to add slashes to the data provided by the user. This is in the php.ini configuration file. Let me introduce get_magic_quotes_gpc( ) Function description.

get_magic_quotes_gpc function introduction

Get the value of the PHP environment variable magic_quotes_gpc, which is a PHP system function.

Syntax: long get_magic_quotes_gpc(void);

Return value: long integer

This function obtains the value of the variable magic_quotes_gpc (GPC, Get/Post/Cookie) of the PHP environment configuration . Returning 0 means turning off this function; returning 1 means turning this function on.

When magic_quotes_gpc is turned on, all ' (single quotes), ” (double quotes), (backslashes) and null characters will automatically be converted to overflow characters containing backslashes.

magic_quotes_gpc Sets whether to automatically add backslashes to '" in the data sent by GPC (get, post, cookie). You can use get_magic_quotes_gpc() to detect system settings.

If this setting is not turned on, you can use the addslashes() function to add it. Its function is to add backslashes before certain characters when required in database query statements.

These characters are single quotes ('), double quotes ("), backslash () and NUL (NULL character).

By default, the PHP instruction magic_quotes_gpc is on, it Mainly to automatically run addslashes() on all GET, POST and COOKIE data.

Do not use addslashes() on strings that have been escaped by magic_quotes_gpc, because this will cause double-layer escaping. Encountered In this case, you can use the function get_magic_quotes_gpc() to detect.

Example

The correct way to use get_magic_quotes_gpc() to prevent database attacks

The code is as follows

<?php
function check_input($value)
{
// 去除斜杠
if (get_magic_quotes_gpc())
{
$value = stripslashes($value);
}
// 如果不是数字则加引号
if (!is_numeric($value))
{
$value = “‘” . mysql_real_escape_string($value) . “‘”;
}
return $value;
}
$con = mysql_connect(“localhost”, “hello”, “321″);
if (!$con)
{
die(‘Could not connect: ‘ . mysql_error());
}
// 进行安全的 SQL
$user = check_input($_POST[&#39;user&#39;]);
$pwd = check_input($_POST[&#39;pwd&#39;]);
$sql = “SELECT * FROM users WHERE
user=$user AND password=$pwd”;
mysql_query($sql);
mysql_close($con);
?>

The summary is as follows:

1. For magic_quotes_gpc=on In this case,

we can not perform

addslashes() and stripslashes() operations on the string data of the input and output databases, and the data will be displayed normally.

If you perform addslashes() on the input data at this time,

then you must use stripslashes() to remove excess backslashes when outputting.

2 . For the case of magic_quotes_gpc=off

addslashes() must be used to process the input data, but there is no need to use stripslashes() to format the output

because addslashes() does not Writing the backslashes together into the database only helps mysql complete the execution of the sql statement

The above is the entire content of this article, I hope it will be helpful to everyone's learning.

Related recommendations:

php get_magic_quotes_gpc() function usage instructions

Regarding php automatic escaping issues, historical issues left over by magic_quotes_gpc in the configuration

php get_magic_quotes_gpc Introduction to the usage of () function

#

The above is the detailed content of Detailed explanation of get_magic_quotes_gpc() function in php. For more information, please follow other related articles on the PHP Chinese website!