PHP DAY 10 (Magic Quotes)

DAY 10

PHP Magic Quotes

 


Using the magic quotes directive


When the magic quotes directive is enabled, PHP automatically escapes data from HTTP GET and POST requests and cookie data. For example, if a user types “hello” (with the quotation marks) in a form, PHP automatically escapes the quotation marks and stores the value as \“hello\”. To enable this functionality, use a text editor to modify the magic_quotes_gpc directive in the php.ini file as follows:

 
magic_quotes_gpc = on


To disable this functionality, modify the magic_quotes_gpc directive in the php.ini file as follows:

 
magic_quotes_gpc = off


Magic Quotes


Magic quotes was a controversial feature of the PHP scripting language, wherein strings are automatically escaped—special characters are prefixed with a backslash—before being passed on.
This feature has been DEPRECATED as of PHP 5.3.0 and REMOVED as of PHP 5.4.0.
When on, all ' (single-quote), " (double quote), \ (backslash) and NULL characters are escaped with a backslash automatically. This is identical to what addslashes() does.
There are three magic quote directives: 


  • magic_quotes_gpc Affects HTTP Request data (GET, POST, and COOKIE). Cannot be set at runtime, and defaults to on in PHP. See also get_magic_quotes_gpc()
  • magic_quotes_runtime If enabled, most functions that return data from an external source, including databases and text files, will have quotes escaped with a backslash. Can be set at runtime, and defaults to off in PHP. See also set_magic_quotes_runtime() and get_magic_quotes_runtime().
  • magic_quotes_sybase If enabled, a single-quote is escaped with a single-quote instead of a backslash. If on, it completely overrides magic_quotes_gpc. Having both directives enabled means only single quotes are escaped as ''. Double quotes, backslashes and NULL's will remain untouched and unescaped. See also ini_get() for retrieving its value.


PHP addslashes() Function

 

Example


Add a backslash in front of each double quote ("):
<?php
$str = addslashes('What does "yolo" mean?');
echo($str);
?>


Definition and Usage


The addslashes() function returns a string with backslashes in front of predefined characters.
The predefined characters are:


  • single quote (')
  • double quote (")
  • backslash (\)
  • NULL

Tip: This function can be used to prepare a string for storage in a database and database queries.


Note: PHP runs addslashes() on all GET, POST, and COOKIE data by default. Therefore you should not use addslashes() on strings that have already been escaped, this will cause double escaping. The function get_magic_quotes_gpc() can be used to check this.

Syntax

addslashes(string)

Add backslashes to the predefined characters in a string:

<?php
$str="Who's Peter Griffin?";
echo $str . " This is not safe in a database query.<br>";
echo addslashes($str) . " This is safe in a database query.";
?>
 
Posted by at

No comments:

Post a Comment

Give your valuable feedback

Subscribe to: Post Comments (Atom)

Topic :Software & Types, Subject: Computer Fundamental Notes for CSJM University Kanpur(for different courses like BBA, BCA, etc..)

Software Software refers to the programs, data, and instructions that enable a computer or other digital device to perform specific tasks or...