|
|
 |
章 30. Magic Quotes
Magic Quotes is a process that automagically escapes incoming data to the
PHP script. It's preferred to code with magic quotes off and to instead
escape the data at runtime, as needed.
When on, all ' (single-quote), "
(double quote), \ (backslash) and NULL
characters are escaped with a backslash automatically. This is identical
to what addslashes() does.
There are three magic quote directives:
magic_quotes_gpc
Affects HTTP Request data (GET, POST, and COOKIE). Cannot be set at
runtime, and defaults to on in PHP.
See also get_magic_quotes_gpc().
magic_quotes_runtime
If enabled, most functions that return data from an external source,
including databases and text files, will have quotes escaped with a
backslash. Can be set at runtime, and defaults to on
in PHP.
See also set_magic_quotes_runtime() and
get_magic_quotes_runtime().
magic_quotes_sybase
If enabled, a single-quote is escaped with a single-quote instead of a
backslash. If on, it completely overrides
magic_quotes_gpc. Having
both directives enabled means only single quotes are escaped as
''. Double quotes, backslashes and NULL's will
remain untouched and unescaped.
See also ini_get() for retrieving its value.
Useful for beginners
Magic quotes are implemented in PHP to help code written by beginners
from being dangerous. Although
SQL Injection
is still possible with magic quotes on, the risk is reduced.
Convenience
For inserting data into a database, magic quotes essentially runs
addslashes() on all Get, Post, and Cookie data,
and does so automagically.
Portability
Assuming it to be on, or off, affects portability. Use
get_magic_quotes_gpc() to check for this, and code
accordingly.
Performance
Because not every piece of escaped data is inserted into a
database, there is a performance loss for escaping all this data.
Simply calling on the escaping functions (like
addslashes()) at runtime is more efficient.
Although php.ini-dist enables these directives
by default, php.ini-recommended disables it.
This recommendation is mainly due to performance reasons.
Inconvenience
Because not all data needs escaping, it's often annoying to see escaped
data where it shouldn't be. For example, emailing from a form, and
seeing a bunch of \' within the email. To fix, this may require
excessive use of stripslashes().
The magic_quotes_gpc
directive may only be disabled at the system level, and not at
runtime. In otherwords, use of ini_set() is not
an option.
例子 30-1. Disabling magic quotes server side
An example that sets the value of these directives to
Off in php.ini. For additional details, read the
manual section titled How to
change configuration settings.
; Magic quotes
;
; Magic quotes for incoming GET/POST/Cookie data.
magic_quotes_gpc = Off
; Magic quotes for runtime-generated data, e.g. data from SQL, from exec(), etc.
magic_quotes_runtime = Off
; Use Sybase-style magic quotes (escape ' with '' instead of \').
magic_quotes_sybase = Off |
If access to the server configuration is unavilable, use of
.htaccess is also an option. For example:
php_flag magic_quotes_gpc Off |
|
In the interest of writing portable code (code that works in any
environment), like if setting at the server level is not possible,
here's an example to disable
magic_quotes_gpc at runtime. This method is inefficient so
it's preferred to instead set the appropriate directives elsewhere.
例子 30-2. Disabling magic quotes at runtime |
<?php
if (get_magic_quotes_gpc()) {
function stripslashes_deep($value)
{
$value = is_array($value) ?
array_map('stripslashes_deep', $value) :
stripslashes($value);
return $value;
}
$_POST = array_map('stripslashes_deep', $_POST);
$_GET = array_map('stripslashes_deep', $_GET);
$_COOKIE = array_map('stripslashes_deep', $_COOKIE);
}
?>
|
|
There are no user contributed notes for this page.
| |
User Submitted Data
