Functions that are helpful for php security

Functions that are helpful for php security

Security has always been a noteworthy aspect in programming languages. In any mature programming language, there is a proper way to ensure program security. In modern WEB development, we often need to process user input. (Now the problem arises.) There is a programming motto: Never trust the security of user input. So today we will introduce some of the most common methods for providing security protection for your code in PHP.

There are many convenient functions in PHP that can help you avoid SQL injection and XSS attacks. Now let's take a look at these functions that can add security to your project. However, please note that this is only a list of some common functions. Maybe they are not comprehensive, but I believe they are very helpful to your project.

Mysql_real_escape_string (stringsqlQuery ):

Escape the special characters in the strings used in SQL statements and take into account the connected current character set. A very useful function can effectively avoid SQL injection.

The following characters are converted:

X00, n, r, ', ", x1a

Before executing an SQL statement, using this function to process the SQL query that you want to execute will eliminate some risks in the cradle.

However, in more mature projects, we generally recommend using a persistent database layer like PDO to process all database operations. They represent more advanced database operation and processing technologies. In terms of security and data read/write speed, they are much more powerful than those of the old mysql _ * APIs.

Addslashes ():

This function is very useful when inserting some data into the database. It can be followed by a backslash before single quotes, so that no error occurs during data insertion. However, its usage is related to a setting in php. ini-magic_quotes_gpc

1. For PHPmagic_quotes_gpc = on, we can perform the addslashes () and stripslashes () operations on the string data of the input and output databases, and the data will be displayed normally.

If you have performed addslashes () processing on the input data at this time, you must use stripslashes () to remove unnecessary backslash when outputting the data.

2. PHPmagic_quotes_gpc = off

You must use addslashes () to process the input data, but do not use stripslashes () to format the output. Because addslashes () does not write the backslash together into the database, it only helps mysql to complete SQL statement execution.

[Stripslashes (): deletes the backslash added by the addslashes () function .]

Htmlentities ():

A very useful function for processing output. It is used to convert characters that may cause XXS attacks to html entities. These characters are normal when displayed in the browser, but when you view its source code, in fact, these special characters are not displayed as they are, for example

Output:

John & 'adams'

Source code:

John & 'Adams';

Output:

<>

Source code:

<>gt;

Encode these symbols to effectively prevent XSS attacks.

Htmlspecialchars ():

It is the same as the above function, but it is more common, because htmlentities () is to convert all the characters defined in the html standard into their corresponding html entities, this would be your lack of ease of output (html Entity List http://www.w3school.com.cn/tags/html_ref_entities.html ). Therefore, using htmlspecialchars () only converts some predefined characters (which may cause problems) to html entities. For example:

& (And number) becomes & "(double quotation marks) becomes" '(single quotation marks) becomes' <(less than) becomes <> (greater than) become>

Therefore, in some projects, I often use htmlspecialchars () to process html output. He is more specific in terms of security.

Strip_tags (): generally used for output. tags of HTML, XML, and PHP are stripped.

Function prototype: strip_tags (string, allow)

String indicates the input String. allow indicates the tag that is not deleted. You can use allow to customize the tag to be filtered out.

Md5 ():

A function that converts a string to a 32-bit hash value (which cannot be reverse decrypted). Any string can use this function to obtain a unique 32-Bit String. However, when using this function, you must note that some databases record a large number of md5 values and use brute force enumeration to crack your password, you can first encrypt your original string and then use md5 () hash to achieve better results.

Sha1 ():

A function similar to md5 (), but uses different algorithms to generate a string of 40 characters. It can be used in projects

Intval ():

Maybe you think this function is not a securityfunction. However, it can protect your code in some cases. Processing some data collected from users, such as ID, password, and username, may eliminate some security risks. After all, this is the hardest hit area.