PHP Common escape character function

This paper introduces the character escaping functions and security functions commonly used in PHP, and uses these functions to filter the most common attack methods, such as SQL injection. Contents of this section: PHP Escape character function usage. 1. Addslashesaddslashes escapes special characters in the SQL statement, including ('), ("), (), (NUL) four characters, which are used when the DBMS does not have its own escape function, but if the DBMS has its own escape function, It is recommended to use the original function, such as MySQL has the mysql_real_escape_string function to escape SQL. Note that before PHP5.3, MAGIC_QUOTES_GPC is turned on by default and is performed addslashes operations on $get, $POST, $COOKIE, so you do not need to call addslashes repeatedly on these variables, or double Escaping's. However, MAGIC_QUOTES_GPC in PHP5.3 has been abandoned, from the beginning of PHP5.4 has been removed, if you use the latest version of PHP can not worry about this problem. Stripslashes is the unescape function for addslashes. 2. Htmlspecialcharshtmlspecialchars a few special words in HTML into the form of HTML Entity (format:&xxxx;), including (&), ('), ("), (<), (>) Five characters. & (and) + & "(double quotation mark) +" (when Ent_noquotes is not set) ' (single quote) = ' (when Ent_quotes set) < (less than) + = (greater than sign) = > Htmlspecialchars can be used to filter $get, $POST, $COOKIE data, and prevent XSS. Note that the Htmlspecialchars function simply escapes HTML characters that are considered to have security implications, and if you want to escape all the characters that can be escaped from HTML, use Htmlentities. Htmlspecialchars_decode is the decode function for Htmlspecialchars. 3. Htmlentitieshtmlentities the contents of the HTML that can be escaped into HTML Entity. Html_entity_decode is the decode function for htmlentities. 4. Mysql_real_escape_stringmysql_real_escape_string will call the MySQL library function mysql_real_escape_string, to (\x00), (\ n), (\ R), (), (' ), (\X1A) is escaped by adding a backslash () in front of it to prevent SQL injection. Note that you do not need to call stripslashes to unescape when reading database data, because these backslashes are added when the database executes SQL, and the backslash is removed when the data is written to the database, so the content written to the database is the original data. Does not have a backslash in front of it. 5. Strip_tagsstrip_tags will filter out nul,html and PHP tags. 6. Conclusion PHP comes with a security function that does not completely avoid XSS, and it is recommended to use HTML purifier. PHP Escape using the detailed The Magic reference function for data in PHP MAGIC_QUOTES_GPC or magic_quotes_runtime is set to ON, and the data we refer to comes in single quotes ' and double quotes ' and backslashes \ When we automatically add backslashes to help us automatically translate the symbols, The difference between ensuring the correct operation of data operations: The MAGIC_QUOTES_GPC scope is: Web client server; Action time: The request begins, for example, when the script is run. Magic_quotes_runtime scope: Data read from a file or executed by exec () or from a SQL query, time: Every time the script accesses the data that is generated in the running state. It can be seen that MAGIC_QUOTES_GPC's setpoint will affect the data obtained through Get/post/cookies Magic_quotes_ Runtime settings will affect the data read from the file or query the data from the database several functions you want to associate: Set_magic_quotes_runtime (): Sets the Magic_quotes_runtime value. 0= off. 1= is turned on. The default state is off. Can be through the echo phpinfo (); View MAGIC_QUOTES_RUNTIMEGET_MAGIC_QUOTES_GPC (): View MAGIC_QUOTES_GPC values. 0= off. 1= Open Get_magic_quotes_runtime (): View Magic_ The Quotes_runtime value. 0= off. 1= Open. Note that there is no set_magic_quotes_gpc () This function, that is, you can not set the value of MAGIC_QUOTES_GPC in the program. Because of the two-value setting problem, it can cause some confusion in programming or an additional escape, in this case, it needs to be set and judged at the beginning of the program, or both values of the default configuration will be closed. The escape part is executed by the program. Ensure that data is normally inserted into the data using addslashes this to handle, the data read out when the use of stripslashes to remove the added backslash php similar character conversion function Addslashes a backslash before the specified predefined character stripslashes delete the backslash added by the addslashes () function Htmlspecialchars Convert some of the predefined characters to HTML entities Htmlspecialchars_ Decode convert some of the predefined HTML entities to characters Html_entity_decode () convert HTML entities to characters htmlentities () convert characters to HTML entities

