为什么要用魔术引号
I find it useful to define a simple utility function for magic quotes so the application functions as expected regardless of whether magic_quotes_gpc is on:
function strip_magic_slashes($str)
{
return get_magic_quotes_gpc() ? stripslashes($str) : $str;
}
Which can be annoying to add the first time you reference every $_GET /$_POST/$_COOKIE variable, but it prevents you from demanding your users to change their configurations.
为什么不用魔术引号
- 可移植性 编程时认为其打开或并闭都会影响到移植性。可以用 get_magic_quotes_gpc() 来检查是否打开,并据此编程。
- 性能 由于并不是每一段被转义的数据都要插入数据库的,如果所有进入 PHP 的数据都被转义的话,那么会对程序的执行效率产生一定的影响。在运行时调用转义函数(如 addslashes())更有效率。 尽管 php.ini-dist 默认打开了这个选项,但是 php.ini-recommended 默认却关闭了它,主要是出于性能的考虑。
- 不便 由于不是所有数据都需要转义,在不需要转义的地方看到转义的数据就很烦。比如说通过表单发送邮件,结果看到一大堆的 \'。针对这个问题,可以使用 stripslashes() 函数处理。
add a note
User Contributed Notes为什么不用魔术引号
sir dot steve dot h+php at gmail dot com
07-Dec-2007 12:45
07-Dec-2007 12:45
Mariusz dot Buk at acx dot com dot pl
09-Nov-2007 06:40
09-Nov-2007 06:40
Stripslashes don't work if we use eg. xAjax. Data are sent url encoded.
Roland Illig
12-Oct-2007 03:35
12-Oct-2007 03:35
The best way to use magic_quotes in PHP is this:
<?php
if (get_magic_quotes_gpc()) {
die("magic_quotes must be turned off.");
}
?>
rjh at netcraft dot com
13-Jun-2007 05:50
13-Jun-2007 05:50
Additionally, addslashes() is not a cure-all against SQL injection attacks. You should use your database's dedicated escape function (such as mysql_escape_string) or better yet, use parameterised queries through mysqli->prepare().
gerard at modusoperandi dot com dot au
14-May-2007 12:53
14-May-2007 12:53
Apparently it will be removed in PHP 6:
http://www.php.net/~derick/meeting-notes.html#magic-quotes
12-Feb-2006 05:47
It is also important to disable Magic Quotes while in development enivronment. For the reasons mentioned above, not everybody is using Magic Quotes.
An application that works fine with Magic Quotes enabled may have security problems (ie can be subject to SQL attacks) when distributed.