PHP手册 - 为什么不用魔术引号

为什么不用魔术引号

Warning

This feature has been DEPRECATED as of PHP 5.3.0 and REMOVED as of PHP 5.4.0.

可移植性编程时认为其打开或并闭都会影响到移植性。可以用 get_magic_quotes_gpc() 来检查是否打开，并据此编程。
性能由于并不是每一段被转义的数据都要插入数据库的，如果所有进入 PHP 的数据都被转义的话，那么会对程序的执行效率产生一定的影响。在运行时调用转义函数（如 addslashes()）更有效率。尽管 php.ini-dist 默认打开了这个选项，但是 php.ini-recommended 默认却关闭了它，主要是出于性能的考虑。
不便由于不是所有数据都需要转义，在不需要转义的地方看到转义的数据就很烦。比如说通过表单发送邮件，结果看到一大堆的 \'。针对这个问题，可以使用 stripslashes() 函数处理。

PHP手册 - N: 为什么不用魔术引号

用户评论:

Albin Mrtensson (09-Sep-2010 02:46)

This is what I use to handle magic quotes <?php if (get_magic_quotes_gpc()) { function strip_array($var) { return is_array($var)? array_map("strip_array", $var):stripslashes($var); } $_POST = strip_array($_POST); $_SESSION = strip_array($_SESSION); $_GET = strip_array($_GET); } ?>

anze (13-Oct-2008 11:23)

Another reason against it: security. You could be lulled in a feeling of false security if you have magic_quotes=On on a test server and Off on production server. And another: readability of the code. If you want to be portable you need to resort to some weird solution, outlines on these pages (if (get_magic_quotes())...). Let's hope magic_quotes soon goes to history together with safe_mode and similar "kind-of-security" (but in reality just a nuisance) inventions.

estoesunapija at hotmail dot com (15-Sep-2008 06:26)

<?php //One could use array_walk, altough i think it was fun //and simple doing it this way. class oop { //toObject : Transforms an array into an object filtering it //$source : Array to transform //$currentLevel : See $maxLevels //$maxLevels : Protect the system in case of lots of recursion // i.e. <input type="text" name="test[][]....[N]" public static function toObject($source=array(),$array=array(),$maxLevels=3,$currentLevel=0) { if ( !sizeof($source) || ($currentLevel > $maxLevels) ) return FALSE; $array = (sizeof($array)) ? $array : $source; $obj = new stdClass(); foreach ($array as $k => $v){ if (is_array($v)) { $obj->$k = self::toObject($source,$v,$maxLevels,++$currentLevel); continue; } //Assign to the object $obj, the key and the value of the actual value of $source $obj->$k=$v; } return $obj; } } /* Eexamples $post = oop::toObject($_POST) ; $get = oop::toObject($_GET) ; $session = oop::toObject($_SESSION); var_dump ($post) ; var_dump ($get) ; var_dump ($session); */ ?>

sir dot steve dot h+php at gmail dot com (07-Dec-2007 04:45)

I find it useful to define a simple utility function for magic quotes so the application functions as expected regardless of whether magic_quotes_gpc is on: function strip_magic_slashes($str) { return get_magic_quotes_gpc() ? stripslashes($str) : $str; } Which can be annoying to add the first time you reference every $_GET /$_POST/$_COOKIE variable, but it prevents you from demanding your users to change their configurations.

rjh at netcraft dot com (13-Jun-2007 10:50)

Additionally, addslashes() is not a cure-all against SQL injection attacks. You should use your database's dedicated escape function (such as mysql_escape_string) or better yet, use parameterised queries through mysqli->prepare().

(11-Feb-2006 09:47)

It is also important to disable Magic Quotes while in development enivronment. For the reasons mentioned above, not everybody is using Magic Quotes. An application that works fine with Magic Quotes enabled may have security problems (ie can be subject to SQL attacks) when distributed.