PHP filtering and processing of form submission special characters _php tutorial

The day before yesterday to make a blog post a content batch modification, due to bug in the source program, resulting in a lot of path or code in the anti-slash is innocent removal, yesterday through the bankw3000 Netizen's message found this problem, has done some correction does not rule out some paths exist problems, If you find a blog on the path of the missing backslash \ Problem, welcome message feedback, days will be revised. Day Edge This article specifically to the PHP about the form to submit special characters of the processing method to do a summary, mainly related to Htmlspecialchars/addslashes/stripslashes/strip_tags/mysql_real_escape_ A number of functions such as String are used together to communicate with everyone.
One, several PHP functions related to special character processing

Name of function	Interpretation	Introduced
Htmlspecialchars	Combine with, single double quotes, greater than, and less than sign into HTML format	& Turn Into & "Turn into" ' Turn into ' <> > Turn into >
Htmlentities ()	All characters are converted to HTML format	In addition to the above Htmlspecialchars characters, the double-byte characters are displayed as encodings.
Addslashes	Single double quote, backslash, and null plus backslash escape	The characters that are changed include single quotation marks ('), double quotation marks ("), backslash backslash (\), and null character null.
Stripslashes	Remove backslash characters	Removes the backslash character from the string. If you have two consecutive backslashes, remove one and leave one. If there is only one backslash, remove it directly.
Quotemeta	Add Reference symbol	The string that contains the. \\ + * ? [ ^ ] ($) to precede the character with the backslash "\" symbol.
NL2BR ()	Converts a newline character to
Strip_tags	Remove HTML and PHP tags	Remove any HTML tags and PHP tags from the string, including the content between tags blocking. Note that if there is an error in the string HTML and PHP tags, an error will also be returned.
Mysql_real_escape_string	Escaping special characters in SQL strings	Escaped \x00 \ r \ n space \ ' "\x1a, which is useful for multibyte character processing. Mysql_real_escape_string will judge the character set, mysql_escape_string do not consider it.

For other string processing functions, refer to: PHP Common string regular substitution and split function comparison.
The following summarizes the special character processing for common forms:
Test string:
1 $dbstr = ' D:\test
2 http://www.metsky.com, Tian Yuan Blog
3 \ '!=\ ' 1\ ' OR \ ' 1\ '
4
5
6
7
8 PHP OUTPUT ";?>";
Test code:
("content-type:text/html; Charset=utf-8 ");
echo "------------------------------------------------------
\ r \ n ";
echo $dbstr. "
\ r \ n------------------------------------------------------
\ r \ n ";
$str =fnaddslashes ($_post[' DD ');
echo $str. "
\ r \ n------------------------------------------------------
\ r \ n ";
06
$str = Preg_replace ("/\s (? =\s)/", "\\1", $str);//multiple contiguous spaces retain only one
$str = Str_replace ("\ r", "
", $STR);
$str = Str_replace ("\ n", "
", $STR);
Ten $str = Preg_replace ("/( ) +)/I ","
", $str);//Multiple consecutive
The label retains only one
11
$str =stripslashes ($STR);
echo strip_tags ($STR). "
\ r \ n------------------------------------------------------
\ r \ n ";
echo Htmlspecialchars ($STR). "
\ r \ n------------------------------------------------------
\ r \ n ";
echo htmlentities ($STR). "
\ r \ n------------------------------------------------------
\ r \ n ";
echo mysql_escape_string ($STR). "
\ r \ n------------------------------------------------------
\ r \ n ";
String contains: Backslash path, single double quotes, HTML tags, links, non-blocking HTML tags, database syntax fault tolerance, JS execution judgment, PHP execution judgment, multiple consecutive carriage return line breaks and spaces. Some of these concepts have an inclusive relationship, the same below.
The source code output is as follows (JS script will be executed):

Second, form submission data processing
1, forced to join the backslash
Because some hosts turn on the Magic reference GET_MAGIC_QUOTES_GPC by default, some may be turned off, so it is best to force a backslash on the program so that it can be handled uniformly with single quotes, double quotes, and backslashes.
1 function fnaddslashes ($data)
2 {
3 if (!GET_MAGIC_QUOTES_GPC ())//only adds escape to Post/get/cookie data.
4 return Is_array ($data)? Array_map (' Addslashes ', $data): Addslashes ($data);
5 Else
6 return $data;
7}
Use the function fnaddslashes ($data); As a result (JS scripts are not executed, but HTML, JS, and PHP tags still require fault-tolerant processing):

Using Stripslashes, newline substitution, space substitution results such as:

2. Handling of special characters
Here are a few common string processing, depending on the situation. Since the submission of the form data has been escaped once, it is necessary to consider the effect of addslashes on the related characters if it is necessary to replace or filter the content, and to consider the addition of backslashes when replacing or finding. Other character substitutions are not affected, such as \ r \ n replacement.
A, multiple consecutive spaces retain only one
$data = Preg_replace ("/\s (? =\s)/", "\\1", $data);//multiple contiguous spaces retain only one
B, carriage return line replacement

$data = Str_replace ("\ r", "
", $data);
$data = Str_replace ("\ n", "
", $data);
Default in HTML
No plugging, in XHTML.
There is a blockage, recommended to use
, more differences: HTTP://STACKOVERFLOW.COM/QUESTIONS/1946426/HTML-5-IS-IT-BR-BR-OR-BR
C, multiple consecutive
Keep Only one
$data = Preg_replace ("/( ) +)/I", "
", $data);//Multiple consecutive
The label retains only one

D. Filter all HTML tags
This approach is all about filtering potentially dangerous tags, including HTML, links, non-blocking HTML tags, JS, PHP.
Using function Strip_tags ($data)
The function will filter all the HTML tags (including links) and PHP tags, js code, etc., where the link will keep the original link is only the removal of markup and href part of the content, PHP tags and JS tags will be the overall removal, including intermediate content, such as:

E, do not filter tags, just make them html
The method is to treat the original submission as normal text.
Using the function Htmlspecialchars ($data), the function executes all of the submitted data in plain text, such as:

Use the Htmlentities function to perform the results (garbled in Chinese):

Third, write to the database
Since using Addslashes ($DATA) can be written directly to the database for advanced trusted users, addslashes cannot intercept single quotes that use 0xbf27 instead, so it is best to use Mysql_real_escape_ The string or mysql_escape_string is escaped, but the backslash must be stripped before escaping (assuming Addslashes is turned on by default).
Fnescapestr function ($data)
02
03 {
04
if (GET_MAGIC_QUOTES_GPC ())
06 {
$data = Stripslashes ($value);
08}
$data = "'". Mysql_escape_string ($value). "'";
$data of the Ten return;
11}
12
$data =fnescapestr ($data);
After execution such as:

Iv. Post-Submission instant display
1. If addslashes is used above, the backslash must be removed before the data is echoed
Using function stripslashes ($data)
Note that this function is only for the addslashes ($data) processing of data, to be careful to use, otherwise it will cause the backslash loss (such as the contents of the folder path split line, drive path, etc.), the days before the edge of the day the error is because the database is read with this function (code is the old code, Forgetting to modify) causes the backslash to be lost in many paths, or not in this article, because it is written to the database again.
2, using the function Htmlspecialchars ($data), the function will be executed after the submission of the data are all in accordance with the text to show, unless the Allow the link and so on need special treatment, you can use the Htmlspecialchars output, especially for the non-blocking HTML tags, If neither filter nor tag conversion is used, then the output may cause layout clutter.
Htmlentities is not recommended to use, on the one hand, the output of the source caused a great reading barrier, and the use of htmlentities function will cause double-byte characters such as Chinese will show a bunch of garbled. Other characters are displayed as normal.
The second output method, depending on the circumstances, can be directly exported if there is no illegal marking or potential execution risk.

http://www.bkjia.com/PHPjc/478662.html www.bkjia.com true http://www.bkjia.com/PHPjc/478662.html techarticle the day before yesterday to make a blog post made a batch of content modification, due to a bug in the source program, resulting in a lot of path or code in the anti-slash was innocent, yesterday through the bankw3000 Netizen's stay ...

