1. Addslashes ()
Addslashes () escapes special characters in SQL statements, including ('), ("), (), (NUL) four characters, which are used when the DBMS does not have its own escape function, but if the DBMS has its own escape function, it is recommended to use the original function. For example, MySQL has the mysql_real_escape_string () function to escape SQL. Note that before PHP5.3, MAGIC_QUOTES_GPC is turned on by default, which is performed addslashes () operations on the $get, $POST, $COOKIE, so there is no need to repeatedly invoke addslashes () on these variables, Otherwise it will double escaping. However, MAGIC_QUOTES_GPC in PHP5.3 has been abandoned, from the beginning of PHP5.4 has been removed, if you use the latest version of PHP can not worry about this problem. Stripslashes () is the unescape () function of addslashes ().
2. Htmlspecialchars ()
Htmlspecialchars () escapes several special characters in HTML into the form HTML Entity (format:&xxxx;), including (&), ('), ("), (<), (>) five characters.
& (and) = &
"(double quotes) = " (When Ent_noquotes is not set)
' (single quote) = & #039; (When Ent_quotes set)
< (less than) = <
> (greater than) = >
Htmlspecialchars () can be used to filter $get, $POST, $COOKIE data, and prevent XSS. Note that the Htmlspecialchars () function simply escapes HTML characters that are considered to have security implications, and if you want to escape all the characters that can be escaped from HTML, use Htmlentities (). Htmlspecialchars_decode () is the Decode function for Htmlspecialchars ().
3. Htmlentities ()
Htmlentities () escapes the contents of HTML that can be escaped to HTML Entity. Html_entity_decode () is the Decode function for Htmlentities ().
4. Mysql_real_escape_string ()
Mysql_real_escape_string () will call the MySQL library function mysql_real_escape_string (), Pair (\x00), (\ n), (\ R), (), ('), (\x1a) to escape, that is, precede the backslash () to prevent SQL injection. Note that you do not need to call stripslashes () to unescape when reading the database data, because these backslashes are added when the database executes SQL, and the backslash is removed when the data is written to the database, so the content written to the database is the original data. Does not have a backslash in front of it.
5. Strip_tags ()
Strip_tags () will filter out nul,html and PHP tags.
6. Conclusion
PHP comes with a security function that does not completely avoid XSS, and it is recommended to use HTML purifier
PHP 5.4 Deprecated magic_quotes_gpc,php security escape function (Addslashes, Htmlspecialchars, Htmlentities, mysql_real_escape_string, Strip_ Tags