8 little-known PHP security functions in PHP

Security is a very important aspect of programming. In any programming language, a number of functions or modules are provided to ensure the security of a program. In modern Web applications, it is often required to get input from users around the world, but we all know that "you can never trust the data entered by those users." Therefore, in a variety of web development languages, will provide a guarantee of user input data security functions. Today, let's take a look at some of the useful security functions in the famous Open-source language PHP.

In PHP, some useful functions open source is very convenient to prevent your site from all kinds of attacks, such as SQL injection attacks, XSS (Cross site scripting: Cross-site scripting) attacks. Take a look at the common PHP functions that ensure project security. Note that this is not a complete list and is something I think is very important for your I project.

1. Mysql_real_escape_string ()

This function is useful in PHP to prevent SQL injection attacks. This function adds a backslash to some special characters, such as single quotes, double quotes, backslashes, to ensure that the user-supplied input is clean before the data is queried. Note, however, that you are using this function on the premise of connecting to the database.

But now that mysql_real_escape_string () is deprecated, all new applications should perform database operations using functions like PDO, which means that we can use ready-made statements to prevent SQL injection attacks.

2. Addslashes ()

The principle of this function is similar to mysql_real_escape_string (). However, do not use this function when the value of "MAGIC_QUOTES_GPC" is "on" in the php.ini file. The default value for MAGIC_QUOTES_GPC is on, which automatically runs Addslashes () for all get, POST, and COOKIE data. Do not use Addslashes () on strings that have been escaped by MAGIC_QUOTES_GPC, because this can result in a double escape. You can use the GET_MAGIC_QUOTES_GPC () function to determine whether it is open.

3. Htmlentities ()

This function is useful for filtering data entered by the user. It converts some special characters to HTML entities. For example, when a user enters <, the function is converted to HTML entity < (&LT), and input > is converted to entity &gt.

4. Htmlspecialchars ()

In HTML, certain characters have special meanings and should be converted to HTML entities if they are to retain the original meaning of the characters. This function returns the converted string, for example ' & ' (ampersand) to ' &amp ' (PS: Please refer to the Entity table in the 3rd link)

PS: Here is the original error (see comments), thank you very much Jin Yu proposed. Now corrected, and enclose the conversion characters common to this function:

The translations performed are:

' & ' (ampersand) becomes ' &amp; '
' "' (double quote) becomes ' &quot; ' when Ent_noquotes was not set.
"'" (single quote) becomes ' & #039; (or &apos;) only if Ent_quotes is set.
' < ' (less than) becomes ' &lt; '
' > ' (greater than) becomes ' &gt; '
5. Strip_tags ()

This function can remove all the Html,javascript and PHP tags in the string, and of course you can make certain labels appear by setting the second argument of the function.

6. MD5 ()

From a security standpoint, the behavior of some developers to store simple passwords in a database is not worth recommending. The MD5 () function can produce a 32-character MD5 hash of a given string, and the process is irreversible, that is, you cannot get the original string from the result of the MD5 ().

Now this function is not considered safe, since open source databases can reverse-check the plaintext of a hash value. You can find a list of MD5 hash databases here

7. SHA1 ()

This function is similar to MD5 (), but it uses a different algorithm to produce a 40-character SHA-1 hash (MD5 produces a 32-character hash). Also do not put the absolute security on this function, otherwise there will be unexpected results.

8. Intval ()

Don't laugh first, I know this function has nothing to do with security. The Intval () function converts a variable to an integer type, and you can use this function to make your PHP code more secure, especially if you are parsing data such as ID, age.