The get_magic_quotes_gpc function is used to determine whether to add slashes to the data provided by the user. This is in the php.ini configuration file. Let me introduce the get_magic_quotes_gpc() function description.
get_magic_quotes_gpc function Introduction
Get the value of PHP environment variable magic_quotes_gpc, which is a PHP system function.
Syntax: long get_magic_quotes_gpc(void);
Return value: long integer
This function obtains the value of the variable magic_quotes_gpc (GPC, Get/Post/Cookie) in the PHP environment configuration. Returning 0 means turning off this function; returning 1 means turning this function on.
When magic_quotes_gpc is turned on, all ‘ (single quote), ” (double quote), (backslash) and null characters will automatically be converted to overflow characters containing backslash.
magic_quotes_gpc sets whether to automatically add a backslash to the '" in the data sent by GPC (get, post, cookie). You can use get_magic_quotes_gpc() to detect the system settings.
If this setting is not turned on, you can use the addslashes() function to add it. Its function is to add backslashes before certain characters when required in database query statements.
These characters are single quote (’), double quote (”), backslash () and NUL (NULL character).
By default, the PHP directive magic_quotes_gpc is on, which mainly automatically runs addslashes() on all GET, POST and COOKIE data.
Do not use addslashes() on strings that have been escaped by magic_quotes_gpc, as this will result in double escaping. When encountering this situation, you can use the function get_magic_quotes_gpc() to detect it.
Example
The correct way to use get_magic_quotes_gpc() to prevent database attacks
The code is as follows
代码如下 |
复制代码 |
function check_input($value)
{
// 去除斜杠
if (get_magic_quotes_gpc())
{
$value = stripslashes($value);
}
// 如果不是数字则加引号
if (!is_numeric($value))
{
$value = “‘” . mysql_real_escape_string($value) . “‘”;
}
return $value;
}
$con = mysql_connect(“localhost”, “hello”, “321″);
if (!$con)
{
die(‘Could not connect: ‘ . mysql_error());
}
// 进行安全的 SQL
$user = check_input($_POST['user']);
$pwd = check_input($_POST['pwd']);
$sql = “SELECT * FROM users WHERE
user=$user AND password=$pwd”;
mysql_query($sql);
mysql_close($con);
?>
|
|
Copy code
function check_input($value)
{
// Remove slashes
if (get_magic_quotes_gpc())
{
$value = stripslashes($value);
}
// If it is not a number, add quotes
if (!is_numeric($value))
{
$value = “‘” . mysql_real_escape_string($value) . “‘”;
}
return $value;
} |
$con = mysql_connect(“localhost”, “hello”, “321″);
if (!$con) |
{
die(‘Could not connect: ‘ . mysql_error());
}
// Make secure SQL
$user = check_input($_POST['user']);
$pwd = check_input($_POST['pwd']);
$sql = “SELECT * FROM users WHERE
user=$user AND password=$pwd”;
mysql_query($sql);
mysql_close($con);
?>
The summary is as follows:
We can not do anything with the string data of the input and output databases
For the operations of addslashes() and stripslashes(), the data will be displayed normally.
If you perform addslashes() on the input data at this time,
Then you must use stripslashes() to remove excess backslashes when outputting.
2. For the case of magic_quotes_gpc=off
You must use addslashes() to process the input data, but you do not need to use stripslashes() to format the output
Because addslashes() does not write the backslashes into the database, it just helps mysql complete the execution of the sql statement
http://www.bkjia.com/PHPjc/632823.htmlwww.bkjia.comtruehttp: //www.bkjia.com/PHPjc/632823.htmlTechArticleget_magic_quotes_gpc function is used to determine whether to add slashes to the data provided by the user. This is configured in php.ini In the file, let me introduce the get_magic_quotes_gpc() function...