How to filter characters in php

Source: Internet
Author: User
: This article describes how to filter characters in php. For more information about PHP tutorials, see. How to filter characters in php

Configurations and functions related to PHP string escaping are as follows:
1. magic_quotes_runtime
2. magic_quotes_gpc
3. addslashes () and stripslashes ()
4. mysql_escape_string ()
5. addcslashes () and stripcslashes ()
6. htmlentities () and html_entity_decode ()
7. htmlspecialchars () and htmlspecialchars_decode ()

When magic_quotes_runtime is enabled, most php functions automatically add a backslash to overflow characters (including database or file) data introduced from the outside.
You can use set_magic_quotes_runtime () and get_magic_quotes_runtime ()? Sets and detects its status.
Note: PHP5.3.0 and later versions have removed these two functions. that is to say, this option is disabled in PHP5.3.0 or later versions.
?
Magic_quotes_gpc determines whether to automatically escape certain characters in data sent by GPC (GET, POST, COOKIE,
You can use get_magic_quotes_gpc () to check its settings.
If this setting is not enabled, you can use the addslashes () function to add it to the string for escape.

Addslashes ()? Add a backslash before the specified predefined character.
Predefined characters include single quotation marks ('), double quotation marks ("), backslash (\), and NUL (NULL ).
The above is the explanation given by W3SCHOOL. COM. CN.
Because when magic_quotes_sybase = on, it converts single quotes (') to double quotes ("). when magic_quotes_sybase = off, it converts single quotes (') (\')
What are the functions of the stripslashes () function and addslashes ()? On the contrary, the function is to remove the escape effect.

Mysql_escape_string () escape special characters in strings used in SQL statements .?
Special items here include (\ x00), (\ n), (\ r), (\), ('), ("), (\ x1a)

Addcslashes ()? In the C-language style, characters in character strings are escaped using backslash. This function is rarely used. However, note that when you select 0, a, B, f, n, when r, t, and v are escaped, they are converted to \ 0, \ a, \ B, \ f, \ n, \ r, \ t, and \ v. In PHP, only \ 0 (NULL), \ r (carriage return), \ n (linefeed), and \ t (TAB) are predefined escape sequences, in C, all the converted characters above are predefined escape sequences. Similarly, the function of stripcslashes () is to remove escape characters.

Htmlentities () converts characters to HTML entities. (What is an HTML object? GOOGLE by yourself ~~)
For specific parameters, see the reverse function html_entity_decode ()-? Converts an HTML object to a character.

The htmlspecialchars () function converts some predefined characters into HTML objects.
The predefined characters are:
& (And number) become &
"(Double quotation marks)"
'(Single quotes)'
<(Less than) becomes <
> (Greater than) become>
? For detailed parameters, see here. its inverse function is htmlspecialchars_decode () to convert some predefined HTML entities into characters.

Some of your own experiences:
> Multiple single quotes may cause database security problems.
> We do not recommend that you use mysql_escape_string for escape. we recommend that you use the escape function when obtaining user input.
> Because set_magic_quotes_runtime ()? PHP5.3.0 and later versions have been deprecated. Therefore, we recommend that you disable the configuration for previous versions:

The code is as follows:


If (phpversion () <'5. 3.0 '){
Set_magic_quotes_runtime (0 );
}


?> Magic_quotes_gpc cannot be defined through the function. Therefore, it is recommended that you enable it on the server. when writing a program, you should judge it to avoid security problems caused by failing to enable GPC.
When using addslashes to escape GPC, you should note that when the user submits array data, filter the key value and value

The code is as follows:


If (! Get_magic_quotes_gpc ()){
$ _ GET = daddslashes ($ _ GET );
$ _ POST = daddslashes ($ _ POST );
$ _ COOKIE = daddslashes ($ _ COOKIE );
$ _ FILES = daddslashes ($ _ FILES );
}
Function daddslashes ($ string, $ force = 1 ){
If (is_array ($ string )){
Foreach ($ string as $ key => $ val ){
Unset ($ string [$ key]);
$ String [addslashes ($ key)] = daddslashes ($ val, $ force );
}
} Else {
$ String = addslashes ($ string );
}
Return $ string;
}


?> Escape HTML entities when users input or output to prevent XSS vulnerability!

Today, I encountered a special character processing problem. I noticed this problem again in php:

* A php string with single quotes as the separator. two escape characters \ 'and \ are supported \\
* A php string with double quotation marks as the delimiter. the following escape characters are supported:
\ N line feed (LF or ASCII character 0x0A (10 ))
\ R press enter (CR or ASCII character 0x0D (13 ))
\ T horizontal tab (HT or ASCII character 0x09 (9 ))
\ Backslash
\ $ Dollar Sign
\ "Double quotation marks
\ [0-7] {} the regular expression sequence matches a character represented by the octal symbol
\ X [0-9A-Fa-f] {} this regular expression matches a sequence of characters represented by a Hexadecimal Symbol

For example:

An example with special characters \ 0:

$ Str = "ffff \ 0 ffff ";
Echo (strlen ($ str ));
Echo ("\ n ");
For ($ I = 0; $ I Echo ("\ n ");

Output result:
----------------------

9
102 102 102 102 0 102 102 102

Example of replacing special characters

$ Str = "ffff \ 0 ffff ";
$ Str = str_replace ("\ x0", "", $ str );
// Or use $ str = str_replace ("\ 0", "", $ str );
// Or use $ str = str_replace (chr (0), "", $ str );
Echo (strlen ($ str ));
Echo ("\ n ");
For ($ I = 0; $ I Echo ("\ n ");
Output result:
----------------------
8
102 102 102 102 102 102 102


Octal ascii code example:

// Note that the string that matches the regular \ [0-7] {} represents an octal ascii code.
$ Str = "\ 0 \ 01 \ 02 \ 3 \ 7 \ 10 \ 011 \ 08 \ 8"; // The \ 8 here does not meet the requirements, corrected to "\ 8" (ascii: 92 and 56)
Echo (strlen ($ str ));
Echo ("\ n ");
For ($ I = 0; $ I Echo ("\ n ");
Output result:
----------------------
11
0 1 2 3 7 8 9 0 56 92 56

Hexadecimal ascii code example:

$ Str = "\ x0 \ x1 \ x2 \ x3 \ x7 \ x8 \ x9 \ x10 \ x11 \ xff ";
Echo (strlen ($ str ));
Echo ("\ n ");
For ($ I = 0; $ I Echo ("\ n ");
Output result:

The above describes how to filter characters in php, including the content of php character filtering, and hope to be helpful to friends who are interested in PHP tutorials.

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.