Additionally, addslashes() is not a cure-all against SQL injection attacks. You should use your database's dedicated escape function (such as mysql_escape_string) or better yet, use parameterised queries through mysqli->prepare().
PHP - Manual: 为什么不用魔术引号
2024-04-20
为什么不用魔术引号
Warning
本特性已自 PHP 5.3.0 起废弃并将自 PHP 5.4.0 起移除。
- 可移植性 编程时认为其打开或并闭都会影响到移植性。可以用 get_magic_quotes_gpc() 来检查是否打开,并据此编程。
- 性能 由于并不是每一段被转义的数据都要插入数据库的,如果所有进入 PHP 的数据都被转义的话,那么会对程序的执行效率产生一定的影响。在运行时调用转义函数(如 addslashes())更有效率。 尽管 php.ini-dist 默认打开了这个选项,但是 php.ini-recommended 默认却关闭了它,主要是出于性能的考虑。
- 不便 由于不是所有数据都需要转义,在不需要转义的地方看到转义的数据就很烦。比如说通过表单发送邮件,结果看到一大堆的 \'。针对这个问题,可以使用 stripslashes() 函数处理。
add a note
User Contributed Notes 5 notes
rjh at netcraft dot com ¶
11 years ago
anze ¶
10 years ago
Another reason against it: security. You could be lulled in a feeling of false security if you have magic_quotes=On on a test server and Off on production server.
And another: readability of the code. If you want to be portable you need to resort to some weird solution, outlines on these pages (if (get_magic_quotes())...).
Let's hope magic_quotes soon goes to history together with safe_mode and similar "kind-of-security" (but in reality just a nuisance) inventions.
Albin Mrtensson ¶
8 years ago
This is what I use to handle magic quotes
<?php
if (get_magic_quotes_gpc()) {
function strip_array($var) {
return is_array($var)? array_map("strip_array", $var):stripslashes($var);
}
$_POST = strip_array($_POST);
$_SESSION = strip_array($_SESSION);
$_GET = strip_array($_GET);
}
?>
Anonymous ¶
13 years ago
It is also important to disable Magic Quotes while in development enivronment. For the reasons mentioned above, not everybody is using Magic Quotes.
An application that works fine with Magic Quotes enabled may have security problems (ie can be subject to SQL attacks) when distributed.
sir dot steve dot h+php at gmail dot com ¶
11 years ago
I find it useful to define a simple utility function for magic quotes so the application functions as expected regardless of whether magic_quotes_gpc is on:
function strip_magic_slashes($str)
{
return get_magic_quotes_gpc() ? stripslashes($str) : $str;
}
Which can be annoying to add the first time you reference every $_GET /$_POST/$_COOKIE variable, but it prevents you from demanding your users to change their configurations.
官方地址:https://www.php.net/manual/en/security.magicquotes.whynot.php
IT
PHP
编程语言
Linux
科技
开发编程
Elasticsearch
HTML/CSS/XML
网络
JAVA
NoSQL
C/C++
面试
Golang
数据库
Git
算法
正则表达式
操作系统
Redis
互联网
MySql
JavaScript
运维
软件
架构设计
Mac OS
TCP/IP
国际
Excel
Vim
Windows
Socket
Oracle
VR
MongoDB
运营
Python
MemCache
商业
硬件
电子
设计
nginx
娱乐
摄影
游戏
WordPress
HTTP
团建
数码电器
广告
广告
php7 安装fileinfo扩展
preg_split — 通过一个正则表达式分隔字符串
[PHP] inet_pton/inet_ntop IP地址转换函数
php位值,解决 PHP 中 usort 在值相同时改变原始位置的问题
PHPMailer设置utf8 PHPMailer字符集CharSet
如何在Composer中为GitLab实例设置访问令牌
array_multisort() 多字段排序
laravel框架查看sql语句方式
[原创]诡异的php-fpm超时问题
PHP获取指定函数定义在哪个文件中及行号
php设置cookie为httponly防止xss攻击
利用php soap实现web service
PHP5 扩展SOAP 调用 webservice
PHP-FPM进程数的设定
利用PHP SOAP实现WEB SERVICE
纯php实现DES以及TripleDES加密算法
PHPstorm 里面Terminal 不能使用 esc键吗退出编辑模式吗
PHP7添加redis扩展
PHP注释规范
Composer的Packagist资源