How to filter character in PHP

Source: Internet
Author: User
Tags deprecated
How to filter character in PHP

The configuration and functions associated with the PHP string escape are as follows:
1.magic_quotes_runtime
2.magic_quotes_gpc
3.addslashes () and Stripslashes ()
4.mysql_escape_string ()
5.addcslashes () and Stripcslashes ()
6.htmlentities () and Html_entity_decode ()
7.htmlspecialchars () and Htmlspecialchars_decode ()

When Magic_quotes_runtime is open, most of PHP's functions automatically add backslashes to the overflow characters that are introduced externally (including database or file) data.
You can use Set_magic_quotes_runtime () with Get_magic_quotes_runtime () to set and detect its status.
Note: These two functions have been deprecated in versions above PHP5.3.0, which is said to be off when PHP5.3.0 or later.
?
MAGIC_QUOTES_GPC sets whether to automatically escape certain characters in the data coming from GPC (Get,post,cookie),
You can use GET_MAGIC_QUOTES_GPC () to detect its settings.
If this setting is not turned on, you can use the Addslashes () function to escape the string

Addslashes ()? Adds a backslash before the specified predefined character.
Predefined characters include single quotation marks ('), double quotation marks ("), backslashes (\), and NUL (the NULL character).
These are the explanations given by W3SCHOOL.COM.CN, and my intuition is not very accurate.
Because it converts the single quotation mark (') to double quotation marks (") at Magic_quotes_sybase=on, the single quotation mark (') is converted to (\ ') at Magic_quotes_sybase=off.
The function of the stripslashes () function is the opposite of addslashes (), and its function is to remove the escaping effect.

Mysql_escape_string () escapes special characters in the string used in the SQL statement.
Special includes (\x00), (\ n), (\ r), (\), ('), ("), (\X1A)

Addcslashes ()? Use backslashes to escape characters in a string in C-style, a function that few people use, but it should be noted that when you choose to escape characters 0,a,b,f,n,r,t and V, they are converted to \0,\a,\b,\f,\n,\r,\t and \ V. In PHP, only (NULL), \ r (carriage return), \ n (newline character) and \ t (tab) are predefined escape sequences, whereas in C, all the converted characters above are predefined escape sequences. The function of Stripcslashes () is to remove its escape.

Htmlentities () converts a character to an HTML entity. (What is an HTML entity?) own Google Bar ~ ~)
For specific parameters see here, its inverse function html_entity_decode ()-? Converts an HTML entity to a character.

The Htmlspecialchars () function converts some pre-defined characters to HTML entities.
These pre-defined characters are:
& (and number) becomes &
"(double quotes) becomes"
' (single quote) become '
< (less than) becomes <
> (greater than) becomes >
For detailed parameters see here, its inverse function is Htmlspecialchars_decode () to convert some of the predefined HTML entities to characters.

A little bit of your own experience:
>> multiple single-quote escapes may cause database security issues
>> does not recommend escaping with mysql_escape_string, it is recommended to escape when user input is obtained
>> due to set_magic_quotes_runtime ()? In PHP5.3.0 and later versions have been deprecated, so the previous version recommends a unified configuration shutdown:

Copy the Code code as follows:


if (Phpversion () < ' 5.3.0 ') {
Set_magic_quotes_runtime (0);
}


?>> can not be defined by the function MAGIC_QUOTES_GPC, so it is recommended to open the server uniformly, write the program should be judged, to avoid the need to open GPC caused by security problems
When the GPC is escaped by addslashes, it should be noted that when the user submits the array data, the filter of the key value and the value

Copy the Code code as follows:


if (!GET_MAGIC_QUOTES_GPC ()) {
$_get = Daddslashes ($_get);
$_post = Daddslashes ($_post);
$_cookie = Daddslashes ($_cookie);
$_files = Daddslashes ($_files);
}
function Daddslashes ($string, $force = 1) {
if (Is_array ($string)) {
foreach ($string as $key = = $val) {
Unset ($string [$key]);
$string [Addslashes ($key)] = Daddslashes ($val, $force);
}
} else {
$string = Addslashes ($string);
}
return $string;
}


?>> to prevent XSS exploits by escaping HTML entities at user input or output!

Today, I came across a special character to handle the file, and again notice the problem in PHP:

* PHP string with single quote delimiter, supports two escapes \ ' and \ \
* PHP string with double quotation mark delimiter, support the following escape:
\ n line break (LF or ASCII characters 0x0A (10))
\ r Enter (CR or ASCII character 0x0D (13))
\ t Horizontal tab (HT or ASCII character 0x09 (9))
\ \ Backslash
\$ dollar Sign
\ "Double quotation marks
\[0-7]{1,3} This regular expression sequence matches a character represented by an octal symbol
\x[0-9a-fa-f]{1,2} This regular expression sequence matches a character that is represented by a hexadecimal symbol

For a few examples:

An example of a special character that contains a:

$str = "FFFF\0FFFF";
Echo (strlen ($STR));
Echo ("\ n");
for ($i =0; $i
Echo ("\ n");

Output Result:
----------------------

9
102 102 102 102 0 102 102 102 102

Examples of replacing special characters

$str = "FFFF\0FFFF";
$str = Str_replace ("\x0", "", $str);
or with $STR = Str_replace ("n", "", $str);
or with $STR = Str_replace (chr (0), "", $str);
Echo (strlen ($STR));
Echo ("\ n");
for ($i =0; $i
Echo ("\ n");
Output Result:
----------------------
8
102 102 102 102 102 102 102 102


An example of an octal ASCII code:

Note that a string that conforms to the regular \[0-7]{1,3} represents an octal ASCII code.
$str = "\0\01\02\3\7\10\011\08\8"; The \8 here do not meet the requirements and are revised to "\\8" (ASCII 92 and 56)
Echo (strlen ($STR));
Echo ("\ n");
for ($i =0; $i
Echo ("\ n");
Output Result:
----------------------
11
0 1 2 3 7 8 9 0 56 92 56

Example of hexadecimal ASCII code:

$str = "\x0\x1\x2\x3\x7\x8\x9\x10\x11\xff";
Echo (strlen ($STR));
Echo ("\ n");
for ($i =0; $i
Echo ("\ n");
Output Result:

The above describes how to do character filtering in PHP, including the content of PHP character filtering, I hope to be interested in PHP tutorial friends helpful.

  • Related Article

    Contact Us

    The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

    If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

    A Free Trial That Lets You Build Big!

    Start building with 50+ products and up to 12 months usage for Elastic Compute Service

    • Sales Support

      1 on 1 presale consultation

    • After-Sales Support

      24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.