The day before yesterday, Tianyuan made a batch modification to the content of his blog post. due to bugs in the source program, many backslashes in the path or code were removed. this problem was discovered only yesterday when bankw3000 posted a message, some corrections have been made, but some paths still have problems. if you find that... syntaxHighlighter. all ();
The day before yesterday, Tianyuan made a batch modification to the content of his blog post. due to bugs in the source program, many backslashes in the path or code were removed. this problem was discovered only yesterday when bankw3000 posted a message, some corrections have been made, but some paths still have problems. if you find that there is a path loss backslash \ problem on your blog, please leave a message and feedback. Tianyuan will fix it again. Tianyuan this article makes a summary of PHP's handling methods for special characters in form submission, mainly involving htmlspecialchars/addslashes/stripslashes/strip_tags/mysql_real_escape_string and other functions for joint use.
I. several PHP functions related to special character processing
Function name |
Meaning |
Introduction |
Htmlspecialchars |
Convert the ampersand, single double quotation marks, greater than or less than sign into HTML format |
& Convert & "Convert" 'Convert' <转成< > Convert to> |
Htmlentities () |
Convert all characters to HTML format |
In addition to the above htmlspecialchars characters, the two-byte characters are also displayed as encoding. |
|
|
|
Addslashes |
Double quotation marks, backslash, and NULL plus backslash escape |
The modified characters include single quotation marks ('), double quotation marks ("), backslash (\), and NULL. |
Stripslashes |
Remove backslash characters |
Removes the backslash from the string. If there are two backslash lines in a row, remove one and leave one. If there is only one backslash, remove it directly. |
|
|
|
Quotemeta |
Add a reference symbol |
Include. \ + * in the string *? [^] ($) And other characters are preceded by the backslash "\" symbol. |
Nl2br () |
Convert line breaks
|
|
Strip_tags |
Remove HTML and PHP tags |
Remove any HTML and PHP tags in the string, including the contents between Mark blocking. Note: if the HTML and PHP tags of the string are incorrect, an error is returned. |
Mysql_real_escape_string |
Escape special characters in SQL strings |
Escape \ x00 \ n \ r space \ '"\ x1a, which is very effective for processing multi-byte characters. Mysql_real_escape_string determines the character set, and mysql_escape_string does not need to be considered. |
For other string processing functions, see: regular string replacement in PHP and comparison of split functions.
The following is a summary of special character processing in common forms:
Test string:
1 $ dbstr = 'd: \ test
2 http://www.metsky.comHttp://www.metsky.com> http://www.metsky.com, Tian Yuan blog
3 \'! = \ '1 \ 'OR \ '1 \'
4
5 Alert ("Fail"); script
6
7
8 Php output ";?> ';
Test code:
01 header ("Content-Type: text/html; charset = UTF-8 ");
02 echo "------------------------------------------------------
\ R \ n ";
03 echo $ dbstr ."
\ R \ n ------------------------------------------------------
\ R \ n ";
04 $ str = fnAddSlashes ($ _ POST ['DD']);
05 echo $ str ."
\ R \ n ------------------------------------------------------
\ R \ n ";
06
07 $ str = preg_replace ("/\ s (? = \ S)/"," \ 1 ", $ str); // retain only one consecutive space
08 $ str = str_replace ("\ r ","
", $ Str );
09 $ str = str_replace ("\ n ","
", $ Str );
10 $ str = preg_replace ("/(( ) +)/I ","
", $ Str); // multiple consecutive
Only one tag is retained.
11
12 $ str = stripslashes ($ str );
13 echo strip_tags ($ str )."
\ R \ n ------------------------------------------------------
\ R \ n ";
14 echo htmlspecialchars ($ str )."
\ R \ n ------------------------------------------------------
\ R \ n ";
15 echo htmlentities ($ str )."
\ R \ n ------------------------------------------------------
\ R \ n ";
16 echo mysql_escape_string ($ str )."
\ R \ n ------------------------------------------------------
\ R \ n ";
String contains: Backslash path, single double quotation marks, HTML tags, links, unblocked HTML tags, database syntax error tolerance, JS execution judgment, PHP execution judgment, multiple consecutive carriage return line breaks and spaces. Some of these concepts have an inclusive relationship, the same below.
The source code output is as follows (the JS script will be executed ):
II. data processing for form submission
1. force add a backslash
Because some hosts enable the magic reference get_magic_quotes_gpc by default, and some may disable it, it is best to add a backslash to the program. this can be processed in a unified manner. The characters include single quotes, double quotation marks, and backslash.
1 function fnAddSlashes ($ data)
2 {
3 if (! Get_magic_quotes_gpc () // only escapes POST/GET/cookie data.
4 return is_array ($ data )? Array_map ('addslashes ', $ data): addslashes ($ data );
5 else
6 return $ data;
7}
Use the fnAddSlashes ($ data) function. The result is as follows (JavaScript scripts are not executed, but HTML, JS, and PHP tags still need to be fault-tolerant ):
Use stripslashes, line feed replacement, and space Replacement. The result is as follows:
2. special character processing
The following are several common string processing methods, which can be selected based on actual conditions. Because the data in the submitted form has been escaped once, if you need to replace or filter the content, consider the effect of addslashes on the relevant characters. when replacing or searching, consider adding a backslash. Replacement of other characters is not affected, for example, replacement of \ r \ n.
A. retain only one consecutive space
$ Data = preg_replace ("/\ s (? = \ S)/"," \ 1 ", $ data); // multiple consecutive spaces are reserved for only one
B. replace line breaks
$ Data = str_replace ("\ r ","
", $ Data );
$ Data = str_replace ("\ n ","
", $ Data );
// Default value in html
Not blocked, in xhtml
Blocking is available. it is recommended to use
, More differences: http://stackoverflow.com/questions/1946426/html-5-is-it-br-br-or-br
C. multiple consecutive
Retain only one
$ Data = preg_replace ("/(( ) +)/I ","
", $ Data); // multiple consecutive
Only one tag is retained.
D. filter all HTML tags
This method filters all potentially dangerous tags, including HTML, link, unblocked HTML tags, JS, and PHP.
Use the strip_tags ($ data) function)
After this function is used, all HTML tags (including links), PHP tags, and JS code are filtered. the link retains the original link content, which only removes the mark and href content, PHP and JS tags are removed as a whole, including the intermediate content, such:
E. do not filter tags, just HTML them
This method processes all the original submitted content in plain text.
Using the htmlspecialchars ($ data) function, after the function is executed, all submitted data is displayed in plain text, for example:
Execution result using the htmlentities function (garbled characters are displayed in Chinese ):
3. write data to the database
Because Advanced Trusted users can directly write data to the database after using addslashes ($ data), but addslashes cannot intercept single quotes replaced by 0xbf27, it is best to use mysql_real_escape_string or mysql_escape_string for escape, however, you need to remove the backslash before escaping (assuming that addslashes is enabled by default ).
01 function fnEscapeStr ($ data)
02
03 {
04
05 if (get_magic_quotes_gpc ())
06 {
07 $ data = stripslashes ($ value );
08}
09 $ data = "'". mysql_escape_string ($ value )."'";
10 return $ data;
11}
12
13 $ data = fnEscapeStr ($ data );
After execution, for example:
4. instant display after submission
1. if addslashes is used above, the backslash must be removed before the data is displayed.
Use the stripslashes ($ data) function)
Note that this function is only intended for data processed by addslashes ($ data). exercise caution when using this function. Otherwise, the backslash (for example, the folder path and drive path of the content) may be lost ), the error that occurred a few days before Tianyuan is because this function was used when the database was read (the code is the old code, and I forgot to modify it), leading to the loss of the backslash in many paths due to the re-writing to the database, or you will not have this article.
2. when the htmlspecialchars ($ data) function is used, all submitted data is displayed in text after the function is executed. unless links are allowed for special processing, htmlspecialchars output can be used as a rule, especially for unblocked HTML tags, if no tag conversion is used for filtering, the output may cause layout confusion.
Htmlentities is not recommended. On the one hand, it causes a lot of reading obstacles to the output source code. In addition, using the htmlentities function will cause dual-byte characters such as Chinese characters will display a bunch of garbled characters. Other characters are displayed normally.
The second output method can be output directly, as needed, if it is confirmed that there is no illegal tag or potential execution risk.