Brief introduction of Character security filter function in PHP

Source: Internet
Author: User

This article mainly introduces the character security filter function in PHP, which is very useful to prevent the SQL injection attack XSS attack, which is recommended for everyone.

In the Web development process, we often want to get data from users from all over the world. However, we "can never trust the data entered by those users." So in a variety of web development languages, there are functions that guarantee user input data security. In PHP, there are some useful and handy functions that can help you prevent problems like SQL injection attacks, XSS attacks, and so on.

1. Mysql_real_escape_string ()

This function has been a great help in preventing SQL injection attacks in PHP, with special characters, such as single quotes and double quotes, plus a "backslash" to ensure that the user's input is safe before it is queried. But you should be aware that you are using this function in connection with the database.
But now mysql_real_escape_string () This function is basically no, all new application development should use a library like PDO to operate the database, that is, we can use ready-made statements to prevent SQL injection attacks.

2. Addslashes ()

This function is similar to the above mysql_real_escape_string () and is also a backslash for special characters, but be careful not to use this function when setting the value of MAGIC_QUOTES_GPC in file php.ini to "on". MAGIC_QUOTES_GPC = On, automatically runs Addslashes () for all GET, POST, and COOKIE data. Do not use Addslashes () for strings that have been MAGIC_QUOTES_GPC escaped, because this results in double-layer escaping. You can check the value of this variable by using the GET_MAGIC_QUOTES_GPC () function in PHP.

3. Htmlentities ()

This function is useful for filtering user input data, and it can convert characters to HTML entities. For example, when the user enters the character "<", the function will be converted into an HTML entity "<" (see the source code will see "<"), thus preventing XSS and SQL injection attacks, for unrecognized character sets will be ignored and replaced by iso-8859-1

4. Htmlspecialchars ()

This function is similar to the above, some characters in HTML have a special meaning, if you want to embody this meaning, it will be converted to an HTML entity, this function returns the converted string.

5. Strip_tags ()

This function can remove all html,javascript and PHP tags from the string, but you can also ignore some specific tags by setting the second parameter of the function.

6. Intval ()

Intval actually does not belong to the filter function, its function is to convert the variable into an integer type. Useful when we need to get an integer parameter, you can use this function to make your PHP code more secure, especially if you are parsing integer data such as ID and age.

PHP about the form to submit special character processing method to do a summary, mainly related to Htmlspecialchars/addslashes/stripslashes/strip_tags/mysql_real_escape_ A number of functions such as String are used together to communicate with everyone.
One, several PHP functions related to special character processing

Name of function Interpretation Introduced
Htmlspecialchars Combine with, single double quotes, greater than, and less than sign into HTML format & Turn Into &
"Turn into"
' Turn into '
< turn into <
> Turn into >
Htmlentities () All characters are converted to HTML format In addition to the above Htmlspecialchars characters, the double-byte characters are displayed as encodings.
Addslashes Single double quote, backslash, and null plus backslash escape The characters that are changed include single quotation marks ('), double quotation marks ("), backslash backslash (\), and null character null.
Stripslashes Remove backslash characters Removes the backslash character from the string. If you have two consecutive backslashes, remove one and leave one. If there is only one backslash, remove it directly.
Quotemeta Add Reference symbol The string that contains the. \\ + * ? [ ^ ] ($) to precede the character with the backslash "\" symbol.
NL2BR () Converts a newline character to
Strip_tags Remove HTML and PHP tags Remove any HTML tags and PHP tags from the string, including the content between tags blocking. Note that if there is an error in the string HTML and PHP tags, an error will also be returned.
Mysql_real_escape_string Escaping special characters in SQL strings Escaped \x00 \ r \ n space \ ' "\x1a, which is useful for multibyte character processing. Mysql_real_escape_string will judge the character set, mysql_escape_string do not consider it.

These are the PHP built-in string filter functions, very simple and practical, I hope that the small partners can use them well.

Summary : The above is the entire content of this article, I hope to be able to help you learn.

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

Tags Index: