How many of the eight useful PHP security functions do you know ?, Useful php

How many of the eight useful PHP security functions do you know ?, Useful php

Original article: Useful functions to provide secure PHP application

Translation: Useful PHP security functions

Translator: dwqs

Security is an important aspect of programming. In any programming language, many functions or modules are provided to ensure program security. In modern website applications, users from all over the world often need to be input. However, we all know that "data input by those users will never be trusted ". Therefore, various Web development languages provide functions to ensure the security of user input data. Today, let's take a look at the useful security functions in the famous open-source language PHP.

In PHP, some useful open-source functions are very convenient to prevent your website from various attacks, such as SQL injection attacks and XSS (Cross Site Scripting: Cross Site Scripting) attacks. Let's take a look at common functions in PHP that can ensure project security. Note that this is not a complete list. I think there are some very good functions for your I project.

1. mysql_real_escape_string ()

This function is useful in PHP to prevent SQL injection attacks. This function adds a backslash to special characters such as single quotes, double quotation marks, and backslash to ensure that the input provided by the user is clean before the data is queried. However, you must note that you use this function before connecting to the database.

However, mysql_real_escape_string () is no longer recommended. All new applications should use libraries like PDO to perform database operations. That is to say, we can use existing statements to prevent SQL injection attacks.

2. addslashes ()

The principle of this function is similar to that of mysql_real_escape_string. However, when the value of "magic_quotes_gpc" in the php. ini file is "on", do not use this function. The default value of magic_quotes_gpc is on. addslashes () is automatically run for all GET, POST, and COOKIE data (). Do not use addslashes () for strings that have been escaped by magic_quotes_gpc, because this causes double-layer escape. You can use the get_magic_quotes_gpc () function to determine whether it is enabled.

3. htmlentities ()

This function is very useful for filtering user input data. It converts some special characters into HTML objects. For example, when a user inputs <, the function is converted to an HTML object <(& lt), and the input> is converted to an object & gt. (HTML object table: http://www.w3school.com.cn/html/html_entities.asp), can prevent XSS and SQL injection attacks.

4. htmlspecialchars ()

In HTML, some specific characters have special meanings. to retain the original meaning of the characters, convert them to HTML objects. This function returns the converted string, for example, converting '&' (ampersand) to '& am' (ps: refer to the object reference table link in the third point)

Ps: the original article here is incorrect (see the comments). Thank you very much for your suggestion. Corrected and added common Conversion characters for this function:

The translations saved med are:

• '&' (Ampersand) becomes '& amp ;'
• '"' (Double quote) becomes '& quot; 'WhenENT_NOQUOTESIs not set.
• "'" (Single quote) becomes' & #039; '(or & apos;) only whenENT_QUOTESIs set.
• '<' (Less than) becomes '& lt ;'
• '>' (Greater than) becomes '& gt ;'

5. strip_tags ()

This function can remove all HTML, JavaScript, and PHP tags in the string. Of course, you can also set the second parameter of this function to make some specific tags appear.

6. md5 ()

From a security perspective, it is not recommended that some developers store simple passwords in databases. The md5 () function can generate a 32-character md5 hash of the given string, and this process is irreversible, that is, you cannot obtain the original string from the md5 () result.

Currently, this function is not considered safe because open-source databases can reverse check the plaintext of a hash value. Here you can find an MD5 hash database list

7. sha1 ()

This function is similar to md5 (), but it uses different algorithms to generate a 40-character SHA-1 hash (md5 generates a 32-character hash ). Do not pin absolute security on this function. Otherwise, unexpected results may occur.

8. intval ()

Don't laugh. I know this function has nothing to do with security. The intval () function converts a variable to an integer type. You can use this function to make your PHP code safer, especially when you are parsing data such as id and age.

 

Next article: Create a bubble prompt box with pure CSS