Based on the difference and use of magic_quotes_gpc and magic_quotes_runtime

  • 2020-06-01 08:22:31
  • OfStack

When you have something in your data
This is useful when characters like this are written to a database but want to be filtered out
China \ big and abundant "haha"
China \ \ big land & abundant resources \ "haha \"
You can turn it off using set_maginc_quotes_runtime(0), or you can do it directly in php.ini.
get_magic_quotes_runtime() gets the value of PHP environment variable magic_quotes_runtime.

magic_quotes_gpc is on, which mainly runs addslashes() automatically for all GET, POST and COOKIE data. Do not use addslashes() on strings that have already been escaped by magic_quotes_gpc, as this will cause double-level escape. When this happens, you can use the function get_magic_quotes_gpc() to detect it.

The two different

set_magic_quotes_runtime() allows programmers to dynamically turn on or off magic_quotes_runtime in code,
set_magic_quotes_runtime(1) is on, set_magic_quotes_runtime(0) is off. When set_magic_quotes_runtime(1), text read from a database or via a function such as fread is automatically escaped with '" and \ with a backslash \ to prevent overflow. This is useful when transferring data from a database. However, in case 1, it should be closed, otherwise single quotes, double quotes, and backslashes will be added to the data read from the database, resulting in an abnormal display. For example, Discuz and PHPWind all add a sentence set_magic_quotes_runtime(0) to the header of the public file. Force magic_quotes_runtime off.


Scope: WEB client side;
Effect time: the request starts when, for example, the script is running.


Scope: data read from a file or results of exec() execution or from an SQL query;
Duration: each time the script accesses the data generated in the running state.


The set value of magic_quotes_gpc will affect the data obtained through Get/Post/Cookies,
The set value of magic_quotes_runtime will affect the data read from a file or retrieved from a database query,
magic_quotes_gpc is to escape the data passed through GET, POST and COOKIE. Generally, data should be escaped before storage.
magic_quotes_gpc cannot be dynamically turned on or off in the code. You need to go to php.ini and set magic_quotes_gpc to on or off.
You can use get_magic_quotes_gpc in your code to get the state of magic_quotes_gpc.
When magic_quotes_gpc is off, the data needs to be addslashes manually. The code is as follows:

if (!get_magic_quotes_gpc()) {  

 function new_addslashes($string) {  
     if (is_array($string)) {  
         foreach ($string as $key => $value) {  
             $string[$key] = new_addslashes($value);  
     } else {  
         $string = addslashes($string);  
     return $string;  

Another example:

$data1 = $_POST['aaa'];  
 $data2 = implode(file('1.txt'));  

 if (get_magic_quotes_gpc()) {  
     // The data $data1 Write directly to the database   
 } else {  
     $data1 = addslashes($data1);  
     // The data $data1 Write to database   

 if (get_magic_quotes_runtime()){  
     // The data $data2 Write directly to the database   
     // The data read from the database goes through 1 time stripslashes() After the output   
 } else {  
     $data2 = addslashes($data2);  
     // The data $data2 Write to database   
     // The data read from the database is output directly   


Experience summary:

1. For GPC, whether the system turns on magic_quotes_gpc (magic_quotes_gpc = On) or not, we turn on magic_quotes_gpc, and escape the contents of get, post and cookie. The operation is as follows:
(from uchome system)

function saddslashes($string) {  
     if (is_array($string)) {  
         foreach ($string as $key => $val) {  
             $string[$key] = saddslashes($val);  
     } else {  
         $string = addslashes($string);  
     return $string;  

 //GPC filter   
 $magic_quote = get_magic_quotes_gpc();  
 if(empty($magic_quote)) {  
     $_GET = saddslashes($_GET);  
     $_POST = saddslashes($_POST);  

 //COOKIE To give cookie Value escape   
 $prelength = strlen($_SC['cookiepre']);  
 foreach ($_COOKIE as $key => $val) {  
     if(substr($key, 0, $prelength) == $_SC['cookiepre']) {  
         $_SCOOKIE[(substr($key, $prelength))] = empty($magic_quote) ? saddslashes($val) : $val;  

2. For magic_quotes_runtime, we close it by 1, that is, set_magic_quotes_runtime(0); Do not allow single quotes, double quotes, and backslashes to be automatically appended to data not read from the database. In this way, the operation on the database is as follows: before adding data to the database, we manually perform addslashes() on the data, and when pulling data from the database, we do the opposite, stripslashes().

3. For the content to be serialized, keep the naked data, that is, get rid of the escape, stripslashes(), and then save the serialized content to the database (note that the serialized content is without single quotes ('), double quotes ("), and backslash (\), as shown below:
$feedarr['body_data'] = serialize(stripslashes($body_data));


Function set_magic_quotes_runtime() is deprecated?

Deprecated: Function set_quotes_runtime () is deprecated error occurred when installing PHPCMS. The set_magic_quotes_runtime() function was removed after checking the network and data of PHP5.3 and PHP6.0.
I can use the following scheme instead:

view sourceprint?


view sourceprint?
ini_set("magic_quotes_runtime", 0);


view sourceprint?
if (phpversion() < '5.3.0') {

Related articles: