In the Web development process, we often have to get data from users from all over the world. However, we "can never trust the data entered by those users." Therefore, in a variety of web development languages, will provide a guarantee of user input data security functions. In PHP, there are some very useful and handy functions that can help you prevent problems like SQL injection attacks, XSS attacks, and so on.
1. Mysql_real_escape_string ()
This function has been a great help in preventing SQL injection attacks in PHP, and it adds "backslash" to special characters, like single quotes and double quotes, to ensure that the user's input is safe before using it to query. But you should be aware that you are using this function in connection with the database.
But now mysql_real_escape_string () This function is basically not used, all new application development should use a library such as PDO to operate the database, that is to say, we can use ready-made statements to prevent SQL injection attacks.
2. Addslashes ()
This function is similar to the mysql_real_escape_string () above, and is also a backslash for special characters, but be careful not to use this function when the value of MAGIC_QUOTES_GPC in the settings file php.ini is "on". MAGIC_QUOTES_GPC = ON, the Addslashes () is automatically run on all get, POST, and COOKIE data. Do not use Addslashes () on strings that have been escaped by MAGIC_QUOTES_GPC, because this can result in a double escape. You can check the value of this variable by using the GET_MAGIC_QUOTES_GPC () function in PHP.
3. Htmlentities ()
This function is useful for filtering user input data, which converts characters to HTML entities. For example, when a user enters the character "<", the function is converted to an HTML entity "<" (Viewing the source code will see "<"), thus preventing XSS and SQL injection attacks, and the unrecognized character set will be ignored and replaced by iso-8859-1
4. Htmlspecialchars ()
This function is similar to the above, some of the characters in HTML have a special meaning, if you want to embody this meaning, you will be converted to HTML entities, this function will return the converted string.
5. Strip_tags ()
This function can remove all the Html,javascript and PHP tags in the string, and of course you can omit to filter some specific tags by setting the function's second argument.
6. Intval ()
Intval actually does not belong to the filtered function, its role is to convert the variable to an integer type. This is useful when we need to get an integer parameter, and you can use this function to make your PHP code more secure, especially if you are parsing an integer data such as ID, age.
PHP on the form to submit special characters of the processing method to do a summary, mainly related to Htmlspecialchars/addslashes/stripslashes/strip_tags/mysql_real_escape_ Several functions, such as String, are used jointly to communicate with others.
One or several PHP functions related to special character processing
The name of the function |
Interpretation |
Introduced |
Htmlspecialchars |
Converts to HTML format with, single double quotes, greater than and less than |
& Turn & "Turn" ' Turn ' < Turn < > Turn > |
Htmlentities () |
All characters are converted to HTML format |
In addition to the above Htmlspecialchars characters, also include double-byte characters to display the encoding and so on. |
|
|
|
Addslashes |
Single double quotes, backslash and null plus backslash escape |
The changed characters include single quotation marks ('), double quotes ("), backslash backslash (\), and null character nulls. |
Stripslashes |
Remove backslash characters |
Remove the backslash character from the string. If you have two consecutive backslashes, remove one and leave one. If there is only one backslash, remove it directly. |
|
|
|
Quotemeta |
Add Reference symbol |
Contains the string. \\ + * ? [ ^ ] ($) Precede the character with the backslash "\" symbol. |
NL2BR () |
Convert newline characters to
|
|
Strip_tags |
Remove HTML and PHP tags |
Remove any HTML tags and PHP tags from the string, including marking the contents between the blocking. Note If there are errors in the string HTML and PHP tags, an error is returned. |
Mysql_real_escape_string |
Escape a special character in a SQL string |
The escape \x00 \ r \ n space \ ' "\X1A is effective for multibyte character processing. Mysql_real_escape_string will judge the character set, and mysql_escape_string is not to be considered. |
These are PHP built-in string filter functions, very simple and practical, I hope that the small partners can use them well.