PHP implements code for processing input escape characters_php tips

Let’s start with a function, which was recently introduced in WordPress 3.6

/**
 * Add slashes to a string or array of strings.
 *
 * This should be used when preparing data for core API that expects slashed data.
 * This should not be used to escape data going directly into an SQL query.
 *
 * @since 3.6.0
 *
 * @param string|array $value String or array of strings to slash.
 * @return string|array Slashed $value
 */
function wp_slash( $value ) {
    if ( is_array( $value ) ) {
        foreach ( $value as $k => $v ) {
            if ( is_array( $v ) ) {
                $value[$k] = wp_slash( $v );
            } else {
                $value[$k] = addslashes( $v );
            }
        }
    } else {
        $value = addslashes( $value );
    }
 
    return $value;
}

First explain one PHP built-in function: get_magic_quotes_gpc()

The purpose of this function is to get the value of the magic_quotes_gpc option in the php.ini settings.
If the value of the magic_quotes_gpc option is On, the PHP parser will automatically add the escape character "" to the data from post, get, and cookie to ensure that these data will not cause fatal errors caused by special characters in the program, especially the database statement. mistake.

When

is turned on, characters such as single quotes ('), double quotes ("), backslashes () and NUL (NULL characters) will be backslashed, otherwise they need to be processed manually, using addslashes()
Returns 1 when magic_quotes_gpc value is On, otherwise returns 0
The addslashes() function adds a backslash before the specified predefined characters. That is, the characters listed above

But the get_magic_quotes_gpc() built-in function has been canceled in PHP5.4 and above. In order to avoid future errors, all inputs are filtered like this:

if(!function_exists(get_magic_quotes_gpc) || !get_magic_quotes_gpc() )) { 
  foreach(array('_COOKIE', '_POST', '_GET') as $v) { 
    foreach($$v as $kk => $vv) { 
      $kk{0} != '_' && $$v[$kk] = addslashes($vv); 
    } 
  } 
} 

When processing mysql and GET and POST data, it is often necessary to escape the quotation marks of the data.
There are three settings in PHP that can automatically convert ' (single quote), " (double quote), (backslash) and NULL characters.
PHP calls it magic quotes, and these three settings are

magic_quotes_gpc

Affects HTTP request data (GET, POST and COOKIE). Cannot be changed at runtime. The default value in PHP is on.

When this is turned on, data passed through GET, POST, and COOKIE will be automatically escaped.

Such as test.php?id=abc'de"f
echo $_GET['id']; # will get abc'de"f
magic_quotes_gpc=On; If this is turned on, it will have no effect on writing to the database. For example, if the $_GET['id'] above is written to the database, it will still be abc'de"f ,

On the contrary, if magic_quotes_gpc=Off; then the characters must contain quotation marks (regardless of single quotation marks or double quotation marks), and writing directly to mysql will directly become blank
But if you write it to document instead of mysql. Then it will be abc'de"f

magic_quotes_runtime

If turned on, most functions that obtain and return data from external sources, including databases and text files, will return backslash-escaped data. This option can be changed at runtime, and the default value in PHP is off.

magic_quotes_sybase

If turned on, single quotes will be escaped using single quotes instead of backslashes. This option completely overrides magic_quotes_gpc. If both options are turned on, single quotes will be escaped as "". Double quotes, backslashes and NULL characters will not be escaped.

My form content was originally:

Countermeasure 1: Modify the php.ini file (I won’t go into the method of modifying php.ini, you can google it)

Countermeasure 2: Cancel the escaping

Step one: Find the data you submitted such as $_POST['content'], and change it to $content=stripslashes($_POST['content']);

Step 2: In the future, replace $POST['content'] with $content

Step 3: Submit to the database, the database storage is still normal:

(You should know how to solve this, right? How about I try again? Please excuse me)

Step 4: Use stripslashes() to filter the content read from the database.

stripslashes() This function removes the backslashes added by the addslashes() function. Used to clean data retrieved from databases or HTML forms

（

If you do not want the following situations to occur in the PHP page:
Single quotes are escaped as '
Double quotes are escaped as "
Then you can make the following settings to prevent:
Set in php.ini: magic_quotes_gpc = Off)

The summary is as follows:

1. For the case of magic_quotes_gpc=on ,

We can not do anything with the string data of the input and output databases
For the operations of addslashes() and stripslashes(), the data will be displayed normally.

If you perform addslashes() on the input data at this time,
Then you must use stripslashes() to remove excess backslashes when outputting.

2. For the case of magic_quotes_gpc=off

You must use addslashes() to process the input data, but you do not need to use stripslashes() to format the output
Because addslashes() does not write the backslashes into the database, it just helps mysql complete the execution of the sql statement.