PHP filtering and processing of special characters for form submission

Name of function	Interpretation	Introduced
Htmlspecialchars	Combine with, single double quotes, greater than, and less than sign into HTML format	& Turn into &amp; "Turn into &quot; ' Turn into & #039; < turn into &lt; > Turn into &gt;
Htmlentities ()	All characters are converted to HTML format	In addition to the above Htmlspecialchars characters, the double-byte characters are displayed as encodings.
Addslashes	Single double quote, backslash, and null plus backslash escape	The characters that are changed include single quotation marks ('), double quotation marks ("), backslash backslash (/), and null character null.
Stripslashes	Remove backslash characters	Removes the backslash character from the string. If you have two consecutive backslashes, remove one and leave one. If there is only one backslash, remove it directly.
Quotemeta	Add Reference symbol	The string that contains the. // + * ? [ ^ ] ($) to precede the character with a backslash "/" symbol.
NL2BR ()	Turn newline characters into <br>
Strip_tags	Remove HTML and PHP tags	Remove any HTML tags and PHP tags from the string, including the content between tags blocking. Note that if there is an error in the string HTML and PHP tags, an error will also be returned.
Mysql_real_escape_string	Escaping special characters in SQL strings	Escaped/x00/n/R space/' "/x1a, which is useful for multibyte character processing. Mysql_real_escape_string will judge the character set, mysql_escape_string do not consider it.

Transfer from http://blog.csdn.net/jianglei421/article/details/5460810

In general, I use this:

Kindedit Editor:
From post to the addslashes can be stored in the database, after the direct echo can be removed


Normal text:
1.htmlspecialchars then addslashes into the database, after the direct echo can be removed.
2.addslashes is stored in the database and htmlspecialchars output after removal.


Description
Addslashes is just for the original character to get into the database correctly.
Htmlspecialchars, the HTML tag is converted.

Extra:

The role of the MAGIC_QUOTES_GPC function in PHP is to determine the data that resolves user prompts, such as the following: Post, get, and cookie data to increase the escape character "\" to ensure that the data does not cause the program, In particular, database statements have fatal errors due to pollution caused by special characters.

In the case of magic_quotes_gpc=on, if the input data has

Characters such as single quotation marks ('), double quotation marks ("), backslashes (), and NUL (NULL characters) are all prefixed with backslashes. These escapes are necessary, and if this option is off, then we must call the Addslashes function to add escape to the string.

It is because this option must be on, but let the user to configure the contradiction, in PHP6 removed this option, all programming needs to be done under the Magic_quotes_gpc=off. In such an environment, if the user's data is not escaped, the result is not just a program error. The same can cause the database to be injected into the attack. So from now on, let's not rely on this setting to on, so that someday your server needs to be updated to PHP6 and your program will not work properly.

When Magic_quotes_gpc=on, the function GET_MAGIC_QUOTES_GPC () returns 1

When Magic_quotes_gpc=off, the function get_magic_quotes_gpc () returns 0

PHP filtering and processing of special characters for form submission