8 little-known security function analysis in PHP and little-known functions in php
This article describes eight little-known security functions in PHP. Share it with you for your reference. The specific analysis is as follows:
Security is an important aspect of programming. In any programming language, many functions or modules are provided to ensure program security. In modern website applications, users from all over the world often need to be input. However, we all know that "data input by those users will never be trusted ". Therefore, various Web development languages provide functions to ensure the security of user input data. Let's take a look at the useful security functions in the famous open-source language PHP.
In PHP, some useful open-source functions are very convenient to prevent your website from various attacks, such as SQL injection attacks and XSS (Cross Site Scripting: Cross Site Scripting) attacks. Let's take a look at common functions in PHP that can ensure project security. Note that this is not a complete list. I think there are some very good functions for your I project.
1. mysql_real_escape_string ()
This function is useful in PHP to prevent SQL injection attacks. This function adds a backslash to special characters such as single quotes, double quotation marks, and backslash to ensure that the input provided by the user is clean before the data is queried. However, you must note that you use this function before connecting to the database.
However, mysql_real_escape_string () is no longer recommended. All new applications should use libraries like PDO to perform database operations. That is to say, we can use existing statements to prevent SQL injection attacks.
2. addslashes ()
The principle of this function is similar to that of mysql_real_escape_string. However, when the value of "magic_quotes_gpc" in the php. ini file is "on", do not use this function. The default value of magic_quotes_gpc is on. addslashes () is automatically run for all GET, POST, and COOKIE data (). Do not use addslashes () for strings that have been escaped by magic_quotes_gpc, because this causes double-layer escape. You can use the get_magic_quotes_gpc () function to determine whether it is enabled.
3. htmlentities ()
This function is very useful for filtering user input data. It converts some special characters into HTML objects. For example, when a user inputs <, the function is converted to an HTML object <(<), and the input> is converted to an object>.
4. htmlspecialchars ()
In HTML, some specific characters have special meanings. to retain the original meaning of the characters, convert them to HTML objects. This function returns the converted string, for example, converting '&' (ampersand) '&'
Ps: the original article is incorrect. Thank you very much for your suggestion. Corrected and added common Conversion characters for this function:
The translations saved med are:
'&' (Ampersand) becomes '&'
'"' (Double quote) becomes '" 'when ENT_NOQUOTES is not set.
"'" (Single quote) becomes ''' (or') only when ENT_QUOTES is set.
'<' (Less than) becomes' <'
'>' (Greater than) becomes '>'
5. strip_tags ()
This function can remove all HTML, JavaScript, and PHP tags in the string. Of course, you can also set the second parameter of this function to make some specific tags appear.
6. md5 ()
From a security perspective, it is not recommended that some developers store simple passwords in databases. The md5 () function can generate a 32-character md5 hash of the given string, and this process is irreversible, that is, you cannot obtain the original string from the md5 () result.
Currently, this function is not considered safe because open-source databases can reverse check the plaintext of a hash value. Here you can find an MD5 hash database list
7. sha1 ()
This function is similar to md5 (), but it uses different algorithms to generate a 40-character SHA-1 hash (md5 generates a 32-character hash ). Do not pin absolute security on this function. Otherwise, unexpected results may occur.
8. intval ()
Don't laugh. I know this function has nothing to do with security. The intval () function converts a variable to an integer type. You can use this function to make your PHP code safer, especially when you are parsing data such as id and age.
The original English address: http://www.pixelstech.net/article/1300722997-Useful-functions-to-provide-secure-PHP-application is attached here
I hope this article will help you with PHP programming.