PHP character escape Function Summary (Escape strings in PHP)

Article Which is incorrect or ambiguous ~~~

Configurations and functions related to PhP string escaping are as follows:
1. magic_quotes_runtime
2. magic_quotes_gpc
3. addslashes () and stripslashes ()
4. mysql_escape_string ()
5. addcslashes () and stripcslashes ()
6. htmlentities () and html_entity_decode ()
7. htmlspecialchars () and htmlspecialchars_decode ()

When magic_quotes_runtime is enabled, most PHP functions automatically add a backslash to overflow characters (including database or file) data introduced from the outside.
You can use set_magic_quotes_runtime () and get_magic_quotes_runtime () to set and detect its status.
Note: php5.3.0 and later versions have removed these two functions. That is to say, this option is disabled in php5.3.0 or later versions.

Magic_quotes_gpc determines whether to automatically escape certain characters in data sent by GPC (get, post, cookie,
You can use get_magic_quotes_gpc () to check its settings.
If this setting is not enabled, you can use the addslashes () function to add it to the string for escape.

Addslashes () adds a backslash before the specified predefined character.
Predefined characters include single quotation marks ('), double quotation marks ("), backslash (\), and NUL (null ).
The above is the explanation given by w3school. com. cn.
Because when magic_quotes_sybase = on, it converts single quotes (') to double quotes ("). When magic_quotes_sybase = off, it converts single quotes (') (\')
The stripslashes () function is the opposite of addslashes (). Its function is to remove escaping.

Use mysql_escape_string () to escape special characters in strings used in SQL statements.
Special items here include (\ x00), (\ n), (\ r), (\), ('), ("), (\ x1a)

Addcslashes () uses the backslash to escape characters in the string in the C language style. This function is rarely used. However, note that when you select 0, A, B, F, when escaping N, R, T, and V, they are converted to \ 0, \ A, \ B, \ f, \ n, \ r, \ t, and \ v. In PHP, only \ 0 (null), \ r (carriage return), \ n (linefeed), and \ t (Tab) are predefined escape sequences, in C, all the converted characters above are predefined escape sequences. Similarly, the function of stripcslashes () is to remove escape characters.

Htmlentities () converts characters to HTML entities. (What is an HTML object? Google by yourself ~~)
For specific parameters, see here. The reverse function html_entity_decode ()-converts an HTML object to a character.

The htmlspecialchars () function converts some predefined characters into HTML objects.
The predefined characters are:
& (And number) become &
"(Double quotation marks)"
'(Single quotes)'
<(Less than) becomes <
> (Greater than) become>
For detailed parameters, see here. Its Inverse Function is htmlspecialchars_decode () to convert some predefined HTML entities into characters.

Some of your own experiences:
> Multiple single quotes may cause database security problems.
> WE do not recommend that you use mysql_escape_string for escape. We recommend that you use the escape function when obtaining user input.
> Because set_magic_quotes_runtime () has been deprecated in php5.3.0 and later versions, we recommend that you disable the following configurations in previous versions:

CopyCode The Code is as follows: if (phpversion () <'5. 3.0 '){
Set_magic_quotes_runtime (0 );
}

> Magic_quotes_gpc cannot be defined through functions. Therefore, we recommend that you enable and writeProgramTo avoid security problems caused by failing to enable GPC.
When using addslashes to escape GPC, you should note that when the user submits array data, filter the key value and value

Copy code The Code is as follows: if (! Get_magic_quotes_gpc ()){
$ _ Get = daddslashes ($ _ Get );
$ _ Post = daddslashes ($ _ post );
$ _ Cookie = daddslashes ($ _ cookie );
$ _ FILES = daddslashes ($ _ files );
}
Function daddslashes ($ string, $ force = 1 ){
If (is_array ($ string )){
Foreach ($ string as $ key => $ Val ){
Unset ($ string [$ key]);
$ String [addslashes ($ key)] = daddslashes ($ Val, $ force );
}
} Else {
$ String = addslashes ($ string );
}
Return $ string;
}

> Escape HTML entities in user input or output to prevent XSS vulnerability!

Today, I encountered a special character processing problem. I noticed this problem again in PHP:

* A PHP string with single quotes as the separator. Two escape characters \ 'and \ are supported \\
* A PHP string with double quotation marks as the delimiter. The following escape characters are supported:
\ N line feed (LF or ASCII character 0x0a (10 ))
\ R press enter (Cr or ASCII character 0x0d (13 ))
\ T horizontal tab (HT or ASCII character 0x09 (9 ))
\ Backslash
\ $ Dollar sign
\ "Double quotation marks
\ [0-7] {} The regular expression sequence matches a character represented by the octal symbol
\ X [0-9a-fa-f] {} This regular expression matches a sequence of characters represented by a hexadecimal symbol

For example:

An example with special characters \ 0:

$ STR = "FFFF \ 0 ffff ";
Echo (strlen ($ Str ));
Echo ("\ n ");
For ($ I = 0; $ I <strlen ($ Str); $ I ++) echo ("\ t". ord ($ STR {$ I }));
Echo ("\ n ");

Output result:
----------------------

9
102 102 102 102 0 102 102 102

Example of replacing special characters

$ STR = "FFFF \ 0 ffff ";
$ STR = str_replace ("\ x0", "", $ Str );
// Or use $ STR = str_replace ("\ 0", "", $ Str );
// Or use $ STR = str_replace (CHR (0), "", $ Str );
Echo (strlen ($ Str ));
Echo ("\ n ");
For ($ I = 0; $ I <strlen ($ Str); $ I ++) echo ("\ t". ord ($ STR {$ I }));
Echo ("\ n ");
Output result:
----------------------
8
102 102 102 102 102 102 102

Octal ASCII code example:

// Note that the string that matches the regular \ [0-7] {} represents an octal ASCII code.
$ STR = "\ 0 \ 01 \ 02 \ 3 \ 7 \ 10 \ 011 \ 08 \ 8"; // The \ 8 here does not meet the requirements, corrected to "\ 8" (ASCII: 92 and 56)
Echo (strlen ($ Str ));
Echo ("\ n ");
For ($ I = 0; $ I <strlen ($ Str); $ I ++) echo ("\ t". ord ($ STR {$ I }));
Echo ("\ n ");
Output result:
----------------------
11
0 1 2 3 7 8 9 0 56 92 56

Hexadecimal ASCII code example:

$ STR = "\ x0 \ X1 \ X2 \ X3 \ X7 \ X8 \ x9 \ x10 \ X11 \ xFF ";
echo (strlen ($ Str);
echo ("\ n");
for ($ I = 0; $ I echo ("\ n");
output result:
----------------------
10
0 1 2 3 7 8 9 16 17 255