Is htmlspecialchars enough to filter the variables submitted by get? For example, to implement the user name search function, the user name is actually get. Is it safe to use htmlspecialchars? PHPcodehtmlspecialchars (trim ($ _ GET [username]), ENT_QUOTES); ------ solution ------------------ is it enough for ad to filter the variable htmlspecialchars submitted by get?
For example, to implement the user name search function, the user name is actually get. Is it safe to use htmlspecialchars?
PHP code
htmlspecialchars(trim($_GET['username']), ENT_QUOTES);
------ Solution --------------------
Addslashes processing ('), ("), (\), and NULL
------ Solution --------------------
In fact, you want to prevent SQL injection. For <php5.4.0, when get_magic_quotes_gpc () is enabled, the data submitted by get/post/cookie is automatically escaped. However, if get_magic_quotes_gpc () is removed from php5.4.0, false is always returned.
Therefore, the safest thing is to escape through mysql_real_escape_string () to prevent attacks to the database. it is safe to write the following code:
If (get_magic_quotes_gpc ()){
$ Username = stripslashes ($ _ GET ['username']);
}
Else {
$ Username = $ _ GET ['username'];
}
$ Username = mysql_real_escape_string ($ username );
...................................