PHP implements code for processing input escape characters

This article mainly introduces the code for PHP to process input escape characters. Friends who need it can refer to it

Let’s start with a function, which was recently introduced in WordPress 3.6

/**
 * Add slashes to a string or array of strings.
 *
 * This should be used when preparing data for core API that expects slashed data.
 * This should not be used to escape data going directly into an SQL query.
 *
 * @since 3.6.0
 *
 * @param string|array $value String or array of strings to slash.
 * @return string|array Slashed $value
 */
function wp_slash( $value ) {
    if ( is_array( $value ) ) {
        foreach ( $value as $k => $v ) {
            if ( is_array( $v ) ) {
                $value[$k] = wp_slash( $v );
            } else {
                $value[$k] = addslashes( $v );
            }
        }
    } else {
        $value = addslashes( $value );
    }
 
    return $value;
}

First explain one PHP built-in function: get_magic_quotes_gpc()

The function of this function is to get the value of the magic_quotes_gpc option in the php.ini setting.
If the value of the magic_quotes_gpc option is On, the PHP parser will automatically add the escape character "\" to the data from post, get, and cookie to ensure that these data will not trigger programs, especially database statements due to special characters. fatal error.

When turned on, characters such as single quotes ('), double quotes ("), backslashes (\) and NUL (NULL characters) will be backslashed, otherwise they need to be processed manually. , uses addslashes()
magic_quotes_gpc returns 1 when the value is On, otherwise returns 0
addslashes() function adds a backslash before the specified predefined character. That is, the characters listed above

But the get_magic_quotes_gpc() built-in function has been canceled in PHP5.4 and above. In order to avoid future errors, all inputs are filtered like this:

if(!function_exists(get_magic_quotes_gpc) || !get_magic_quotes_gpc() )) { 
  foreach(array('_COOKIE', '_POST', '_GET') as $v) { 
    foreach($$v as $kk => $vv) { 
      $kk{0} != '_' && $$v[$kk] = addslashes($vv); 
    } 
  } 
}

When processing mysql and GET and POST data, it is often necessary to escape the quotation marks of the data.
There are three settings in PHP that can automatically convert ' (single quotation marks), " (double quotation marks ), \ (backslash) and NULL characters are converted.
PHP calls it magic quotes. These three settings are

magic_quotes_gpc

affects HTTP request data (GET, POST and COOKIES). Cannot be changed at runtime. The default value in PHP is on.

When this is turned on, data passed through GET, POST, and COOKIE will be automatically escaped.

For example, test.php?id=abc'de"f
echo $_GET['id']; # will get abc\'de\"f
magic_quotes_gpc=On; This is turned on, right Writing to the database has no effect. For example, if the $_GET['id'] above is written to the database, it will still be abc'de"f,

On the contrary, if magic_quotes_gpc=Off; then the characters With quotes (whether single quotes or double quotes), writing directly to mysql will directly become blank
However, if you write it to the document instead of mysql. Then it will be abc\'de\"f

magic_quotes_runtime

If turned on, most functions that obtain and return data from external sources, including databases and text files, will return data. Backslash escaped. This option can be changed at runtime, and the default value in PHP is off.

magic_quotes_sybase

If turned on, single quotes will be escaped using single quotes instead of backslashes. This option completely overrides magic_quotes_gpc. If both options are turned on at the same time, single quotes will be escaped into ". Double quotes, backslashes and NULL characters will not be escaped.

My form content was originally: 242bdc569bb0d60e8bd1a2805064ef07

cc05d7d3bfc2da61fc1cc430b1aa975a

Countermeasure 1: Modify the php.ini file (modify php.ini this method I won’t go into details, you can google it)

Countermeasure 2: Cancel the escaping

Step 1: Find the data you submitted such as $_POST['content'], Change it to $content=stripslashes($_POST['content']);

Step 2: In the future, replace $POST['content'] with $content

Step 3: Submit to the database, the database storage is still normal: 36320c6a1d8864566e7b899436dc8ab0Read It came out and became

41378d9504cef989cc9694981bf95ba2(You should know how to solve this, right? How about I stop talking about it)

Step 4: Use stripslashes() to filter the content read from the database.

stripslashes() This function removes the backslashes added by the addslashes() function. Used to clean up the data retrieved from the database or HTML form

(

If you don’t want to The following situation occurs:
Single quotes are escaped as \'
Double quotes are escaped as \"
Then you can make the following settings to prevent:
Set in php.ini: magic_quotes_gpc = Off )

Summary as follows:

1. For the case of magic_quotes_gpc=on,

We can not # do the string data of the input and output databases ##In the operations of addslashes() and stripslashes(), the data will be displayed normally.

If you perform addslashes() on the input data at this time,

then you must use stripslashes() to remove excess backslashes when outputting.

2. For the case of magic_quotes_gpc=off

You must use addslashes() to process the input data, but you do not need to use stripslashes() to format the output
Because addslashes() does not write the backslashes together into the database, it just helps mysql complete the sql statement. execution.

Related recommendations:

PHP adds a backslash before the quotation mark (PHP removes the backslash)

The above is the detailed content of PHP implements code for processing input escape characters. For more information, please follow other related articles on the PHP Chinese website!