PHP character escape Function Summary. sometimes, for the sake of security, we need to escape the character strings entered by the user, which may be incorrect or obscure ~~~
Configurations and functions related to PHP string escaping are as follows:
1. magic_quotes_runtime
2. magic_quotes_gpc
3. addslashes () and stripslashes ()
4. mysql_escape_string ()
5. addcslashes () and stripcslashes ()
6. htmlentities () and html_entity_decode ()
7. htmlspecialchars () and htmlspecialchars_decode ()
When magic_quotes_runtime is enabled, most php functions automatically add a backslash to overflow characters (including database or file) data introduced from the outside.
You can use set_magic_quotes_runtime () and get_magic_quotes_runtime ()Sets and detects its status.
Note: PHP5.3.0 and later versions have removed these two functions. that is to say, this option is disabled in PHP5.3.0 or later versions.
Magic_quotes_gpc determines whether to automatically escape certain characters in data sent by GPC (GET, POST, COOKIE,
You can use get_magic_quotes_gpc () to check its settings.
If this setting is not enabled, you can use the addslashes () function to add it to the string for escape.
Addslashes ()Add a backslash before the specified predefined character.
Predefined characters include single quotation marks ('), double quotation marks ("), backslash (), and NUL (NULL ).
The above is the explanation given by W3SCHOOL. COM. CN.
Because when magic_quotes_sybase = on, it converts single quotes (') to double quotes ("). when magic_quotes_sybase = off, it converts single quotes (') (\')
Functions of stripslashes () function and addslashes ()On the contrary, the function is to remove the escape effect.
Use mysql_escape_string () to escape special characters in strings used in SQL statements.
Special items here include (\ x00), (\ n), (\ r), (\), ('), ("), (\ x1a)
Addcslashes ()In the C-language style, characters in character strings are escaped using backslash. This function is rarely used. However, note that when you select 0, a, B, f, n, when r, t, and v are escaped, they are converted to \ 0, a, f, and \ v. In PHP, only \ 0 (NULL), \ r (carriage return), \ n (linefeed), and \ t (TAB) are predefined escape sequences, in C, all the converted characters above are predefined escape sequences. Similarly, the function of stripcslashes () is to remove escape characters.
Htmlentities () converts characters to HTML entities. (What is an HTML object? GOOGLE by yourself ~~)
For specific parameters, see the reverse function html_entity_decode ()-Converts an HTML object to a character.
The htmlspecialchars () function converts some predefined characters into HTML objects.
The predefined characters are:
& (And number) become &
"(Double quotation marks)"
'(Single quotes)'
<(Less than) becomes <
> (Greater than) become>
For detailed parameters, see here. its inverse function is htmlspecialchars_decode () to convert some predefined HTML entities into characters.
Some of your own experiences:
> Multiple single quotes may cause database security problems.
> We do not recommend that you use mysql_escape_string for escape. we recommend that you use the escape function when obtaining user input.
> Because set_magic_quotes_runtime ()PHP5.3.0 and later versions have been deprecated. Therefore, we recommend that you disable the configuration for previous versions:
The code is as follows:
If (phpversion () <'5. 3.0 '){
Set_magic_quotes_runtime (0 );
}
> The magic_quotes_gpc cannot be defined through functions. Therefore, we recommend that you enable it on the server. when writing a program, you should check it to avoid security problems caused by not enabling GPC.
When using addslashes to escape GPC, you should note that when the user submits array data, filter the key value and value
The code is as follows:
If (! Get_magic_quotes_gpc ()){
$ _ GET = daddslashes ($ _ GET );
$ _ POST = daddslashes ($ _ POST );
$ _ COOKIE = daddslashes ($ _ COOKIE );
$ _ FILES = daddslashes ($ _ FILES );
}
Function daddslashes ($ string, $ force = 1 ){
If (is_array ($ string )){
Foreach ($ string as $ key => $ val ){
Unset ($ string [$ key]);
$ String [addslashes ($ key)] = daddslashes ($ val, $ force );
}
} Else {
$ String = addslashes ($ string );
}
Return $ string;
}
> Escape HTML entities in user input or output to prevent XSS vulnerability!
Today, I encountered a special character processing problem. I noticed this problem again in php:
* A php string with single quotes as the separator. two escape characters are supported: \ 'and \
* A php string with double quotation marks as the delimiter. the following escape characters are supported:
\ N line feed (LF or ASCII character 0x0A (10 ))
\ R press enter (CR or ASCII character 0x0D (13 ))
\ T horizontal tab (HT or ASCII character 0x09 (9 ))
\ Backslash
\ $ Dollar Sign
\ "Double quotation marks
\ [0-7] {} the regular expression sequence matches a character represented by the octal symbol
\ X [0-9A-Fa-f] {} this regular expression matches a sequence of characters represented by a Hexadecimal Symbol
For example:
An example containing special characters:
$ Str = "ffff \ 0 ffff ";
Echo (strlen ($ str ));
Echo ("\ n ");
For ($ I = 0; $ I Echo ("\ n ");
Output result:
----------------------
9
102 102 102 102 0 102 102 102
Example of replacing special characters
$ Str = "ffff \ 0 ffff ";
$ Str = str_replace ("\ x0", "", $ str );
// Or use $ str = str_replace ("\ 0", "", $ str );
// Or use $ str = str_replace (chr (0), "", $ str );
Echo (strlen ($ str ));
Echo ("\ n ");
For ($ I = 0; $ I Echo ("\ n ");
Output result:
----------------------
8
102 102 102 102 102 102 102
Octal ascii code example:
// Note that the string that matches the regular [0-7] {} represents an octal ascii code.
$ Str = "\ 0 \ 01 \ 02 \ 3 \ 7 \ 10 \ 011 \ 08 \ 8"; // The 8 here does not meet the requirements, corrected to "\ 8" (ascii: 92 and 56)
Echo (strlen ($ str ));
Echo ("\ n ");
For ($ I = 0; $ I Echo ("\ n ");
Output result:
----------------------
11
0 1 2 3 7 8 9 0 56 92 56
Hexadecimal ascii code example:
$ Str = "\ x0 \ x1 \ x2 \ x3 \ x7 \ x8 \ x9 \ x10 \ x11 \ xff ";
Echo (strlen ($ str ));
Echo ("\ n ");
For ($ I = 0; $ I Echo ("\ n ");
Output result:
----------------------
10
0 1 2 3 7 8 9 16 17 255