Home  >  Article  >  Backend Development  >  How to insert into database and perform escape operation in php

How to insert into database and perform escape operation in php

藏色散人
藏色散人Original
2021-10-14 09:11:233142browse

php method to insert into the database and perform escape operations: 1. Set the magic_quotes_gpc item; 2. Turn on the magic_quotes_runtime item; 3. Turn on the magic_quotes_sybase item to automatically implement escaping.

How to insert into database and perform escape operation in php

The operating environment of this article: windows7 system, PHP7.1 version, DELL G3 computer

How does php insert into the database and perform escape operations?

php Special string processing when writing to the database (when to escape special characters)

When processing MySQL and GET and POST data, it is often necessary to The quotes are escaped.

There are three settings in PHP that can automatically convert ' (single quote), " (double quote), \ (backslash) and NULL characters.

PHP calls it magic Quotes, these three settings are

magic_quotes_gpc

affect HTTP request data (GET, POST and COOKIE). They cannot be changed at runtime. By default in PHP The value is on.

When this is turned on, the data passed through GET, POST, and COOKIE will be automatically escaped.

For example, test.php?id=abc'de"f

echo $_GET['id']; # You will get abc\'de\"f

magic_quotes_gpc=On; This is turned on and has no effect on writing to the database, such as the above $_GET[' id'] is written to the database, it is still abc'de"f,

On the contrary, if magic_quotes_gpc=Off; then the characters must have quotation marks (regardless of single quotation marks or double quotation marks), and it will be written directly to mysql directly becomes blank

But if you write it to a document instead of mysql. Then it will be abc\'de\"f

magic_quotes_runtime

If turned on, most functions that obtain and return data from external sources, including from the database and text files, the returned data will be backslash-escaped. This option can be changed at runtime, and the default value in PHP is off.

magic_quotes_sybase

If turned on, single quotes will be escaped using single quotes instead of backslashes. This option will completely override magic_quotes_gpc. If both options are turned on at the same time, single quotes will be escaped as ". Double quotes, backslashes, and NULL characters will not be escaped.

我表单内容本来是:<img alt=”" width=”400″ height=”300″ src=”/Upfiles/201105/images/1306657040.jpg” />
<img alt=\”\” width=\”400\” height=\”300\” src=\”/Upfiles/201105/images/1306657040.jpg\” />

Countermeasure 1: Modify the php.ini file (I won’t go into the method of modifying php.ini, you can google it)

Countermeasure 2: Cancel the escape

Step one: Find the data you submitted such as $_POST['content'], and change it to $content=stripslashes($_POST['content']);

Step two: In the future, replace $POST['content'] with $content

Step 3: Submit to the database, the database storage is still normal: a060eee83a40693e4aa28a197aa62070It reads like

1c2c3c6a83a5eeb147caf44f161397a3 (You should know how to solve this, right? How about I say it again)

Fourth Step: Use stripslashes() to filter the content read from the database.

stripslashes() This function removes the backslashes added by the addslashes() function. Used to clean up the data retrieved from the database or HTML form

(

If you do not want the following situation to occur in the PHP page:

Single quotes are escaped as \'

Double quotes are escaped as \"

Then you can make the following settings to prevent:

Set in php.ini: magic_quotes_gpc = Off)

Summary as follows:

1. For the case of magic_quotes_gpc=on,

we can not do

addslashes() and stripslashes() on the string data of the input and output databases operation, the data will be displayed normally.

If you perform addslashes() on the input data at this time,

then you must use stripslashes() to remove excess when outputting Backslash.

2. For magic_quotes_gpc=off

You must use addslashes() to process the input data, but you do not need to use stripslashes() to format the output

Because addslashes() does not write the backslashes into the database, it just helps mysql complete the execution of the sql statement.

Full text: http://blog.csdn.net /qinglianluan/article/details/26272689

php get_magic_quotes_gpc() function usage introduction

http://www.php100.com/html/php/hanshu/2013/0905/4689.html //It can be understood this way: This function is to determine whether the server's "Escape Special Characters" function is turned on.

addslashes()

Full text: http://php.net/manual/zh /function.addslashes.php //This function escapes special characters into ordinary characters.

Recommended learning: "PHP Video Tutorial"

The above is the detailed content of How to insert into database and perform escape operation in php. For more information, please follow other related articles on the PHP Chinese website!

Statement:
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn