为什么打开magic_quotes_gpc被认为是一种不好的做法? [英] Why is turning magic_quotes_gpc on considered a bad practice?

问题描述

为什么在PHP中打开 magic_quotes_gpc 被认为是不好的做法?

Why is turning on magic_quotes_gpc in PHP considered a bad practice?

推荐答案

我认为我无法比PHP本身(在该页面上有后续评论)的制造商更好地解释它:

I don't think I can explain it any better than the makers of PHP itself (with followup comments on that page): Why not to use Magic Quotes

• 可移植性:假设它是打开还是关闭都会影响可移植性.使用get_magic_quotes_gpc()进行检查，并进行相应的编码.
• 性能:因为并非每条转义的数据都插入到数据库中，所以转义所有这些数据会降低性能.在运行时简单地调用转义函数(例如addslashes())会更有效.尽管php.ini-development默认启用这些指令，但是php.ini-production禁用它.此建议主要是出于性能方面的原因.
• 带来的不便:由于并非所有数据都需要转义，因此在不应该看到转义数据的地方通常很烦人.例如，通过表单发送电子邮件，并在电子邮件中看到一堆\'.要解决此问题，可能需要过度使用stripslashes().

• Portability: Assuming it to be on, or off, affects portability. Use get_magic_quotes_gpc() to check for this, and code accordingly.
• Performance: Because not every piece of escaped data is inserted into a database, there is a performance loss for escaping all this data. Simply calling on the escaping functions (like addslashes()) at runtime is more efficient. Although php.ini-development enables these directives by default, php.ini-production disables it. This recommendation is mainly due to performance reasons.
• Inconvenience: Because not all data needs escaping, it's often annoying to see escaped data where it shouldn't be. For example, emailing from a form, and seeing a bunch of \' within the email. To fix, this may require excessive use of stripslashes().

注意-此功能自PHP 5.3.0起已弃用，而自PHP 5.4.0起已取消.

Note - This feature has been DEPRECATED as of PHP 5.3.0 and REMOVED as of PHP 5.4.0.

这篇关于为什么打开magic_quotes_gpc被认为是一种不好的做法?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！