PHP character escape function summary (escape string in php) _ PHP Tutorial-php Tutorial

Source: Internet
Author: User
PHP character escape function summary (the escape string in php ). The article contains incorrect or ambiguous words. please point out ~~~ Configurations and functions related to PHP string escaping are as follows: 1. magic_quotes_runtime2.magic_quotes_gpc contains incorrect or ambiguous content ~~~

Configurations and functions related to PHP string escaping are as follows:
1. magic_quotes_runtime
2. magic_quotes_gpc
3. addslashes () and stripslashes ()
4. mysql_escape_string ()
5. addcslashes () and stripcslashes ()
6. htmlentities () and html_entity_decode ()
7. htmlspecialchars () and htmlspecialchars_decode ()

When magic_quotes_runtime is enabled, most php functions automatically add a backslash to overflow characters (including database or file) data introduced from the outside.
You can use set_magic_quotes_runtime () and get_magic_quotes_runtime ()‍Sets and detects its status.
Note: PHP5.3.0 and later versions have removed these two functions. that is to say, this option is disabled in PHP5.3.0 or later versions.

Magic_quotes_gpc determines whether to automatically escape certain characters in data sent by GPC (GET, POST, COOKIE,
You can use get_magic_quotes_gpc () to check its settings.
If this setting is not enabled, you can use the addslashes () function to add it to the string for escape.

Addslashes ()‍Add a backslash before the specified predefined character.
Predefined characters include single quotation marks ('), double quotation marks ("), backslash (\), and NUL (NULL ).
The above is the explanation given by W3SCHOOL. COM. CN.
Because when magic_quotes_sybase = on, it converts single quotes (') to double quotes ("). when magic_quotes_sybase = off, it converts single quotes (') (\')
Functions of stripslashes () function and addslashes ()‍On the contrary, the function is to remove the escape effect.

Use mysql_escape_string () to escape special characters in strings used in SQL statements.‍
Special items here include (\ x00), (\ n), (\ r), (\), ('), ("), (\ x1a)

Addcslashes ()‍In the C-language style, characters in character strings are escaped using backslash. This function is rarely used. However, note that when you select 0, a, B, f, n, when r, t, and v are escaped, they are converted to \ 0, \ a, \ B, \ f, \ n, \ r, \ t, and \ v. In PHP, only \ 0 (NULL), \ r (carriage return), \ n (linefeed), and \ t (TAB) are predefined escape sequences, in C, all the converted characters above are predefined escape sequences. Similarly, the function of stripcslashes () is to remove escape characters.

Htmlentities () converts characters to HTML entities. (What is an HTML object? GOOGLE by yourself ~~)
For specific parameters, see the reverse function html_entity_decode ()-‍Converts an HTML object to a character.

The htmlspecialchars () function converts some predefined characters into HTML objects.
The predefined characters are:
& (And number) become &
"(Double quotation marks)"
'(Single quotes)'
<(Less than) becomes <
> (Greater than) become>
‍For detailed parameters, see here. its inverse function is htmlspecialchars_decode () to convert some predefined HTML entities into characters.

Some of your own experiences:
> Multiple single quotes may cause database security problems.
> We do not recommend that you use mysql_escape_string for escape. we recommend that you use the escape function when obtaining user input.
> Because set_magic_quotes_runtime ()‍PHP5.3.0 and later versions have been deprecated. Therefore, we recommend that you disable the configuration for previous versions:

The code is as follows:


If (phpversion () <'5. 3.0 '){
Set_magic_quotes_runtime (0 );
}


‍> The magic_quotes_gpc cannot be defined through functions. Therefore, we recommend that you enable it on the server. when writing a program, you should check it to avoid security problems caused by not enabling GPC.
When using addslashes to escape GPC, you should note that when the user submits array data, filter the key value and value

The code is as follows:


If (! Get_magic_quotes_gpc ()){
$ _ GET = daddslashes ($ _ GET );
$ _ POST = daddslashes ($ _ POST );
$ _ COOKIE = daddslashes ($ _ COOKIE );
$ _ FILES = daddslashes ($ _ FILES );
}
Function daddslashes ($ string, $ force = 1 ){
If (is_array ($ string )){
Foreach ($ string as $ key => $ val ){
Unset ($ string [$ key]);
$ String [addslashes ($ key)] = daddslashes ($ val, $ force );
}
} Else {
$ String = addslashes ($ string );
}
Return $ string;
}


‍> Escape HTML entities in user input or output to prevent XSS vulnerability!

Today, I encountered a special character processing problem. I noticed this problem again in php:

* A php string with single quotes as the separator. two escape characters \ 'and \ are supported \\
* A php string with double quotation marks as the delimiter. the following escape characters are supported:
\ N line feed (LF or ASCII character 0x0A (10 ))
\ R press enter (CR or ASCII character 0x0D (13 ))
\ T horizontal tab (HT or ASCII character 0x09 (9 ))
\ Backslash
\ $ Dollar Sign
\ "Double quotation marks
\ [0-7] {} the regular expression sequence matches a character represented by the octal symbol
\ X [0-9A-Fa-f] {} this regular expression matches a sequence of characters represented by a Hexadecimal Symbol

For example:

An example with special characters \ 0:

$ Str = "ffff \ 0 ffff ";
Echo (strlen ($ str ));
Echo ("\ n ");
For ($ I = 0; $ I Echo ("\ n ");

Output result:
----------------------

9
102 102 102 102 0 102 102 102

Example of replacing special characters

$ Str = "ffff \ 0 ffff ";
$ Str = str_replace ("\ x0", "", $ str );
// Or use $ str = str_replace ("\ 0", "", $ str );
// Or use $ str = str_replace (chr (0), "", $ str );
Echo (strlen ($ str ));
Echo ("\ n ");
For ($ I = 0; $ I Echo ("\ n ");
Output result:
----------------------
8
102 102 102 102 102 102 102


Octal ascii code example:

// Note that the string that matches the regular \ [0-7] {} represents an octal ascii code.
$ Str = "\ 0 \ 01 \ 02 \ 3 \ 7 \ 10 \ 011 \ 08 \ 8"; // The \ 8 here does not meet the requirements, corrected to "\ 8" (ascii: 92 and 56)
Echo (strlen ($ str ));
Echo ("\ n ");
For ($ I = 0; $ I Echo ("\ n ");
Output result:
----------------------
11
0 1 2 3 7 8 9 0 56 92 56

Hexadecimal ascii code example:

$ Str = "\ x0 \ x1 \ x2 \ x3 \ x7 \ x8 \ x9 \ x10 \ x11 \ xff ";
Echo (strlen ($ str ));
Echo ("\ n ");
For ($ I = 0; $ I Echo ("\ n ");
Output result:
----------------------
10
0 1 2 3 7 8 9 16 17 255

Bytes ~~~ Configurations and functions related to PHP string escaping are as follows: 1. magic_quotes_runtime 2. magic_quotes_gpc...

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.