- $html = Array ();
- $html [' username '] = htmlentities ($clean [' username '], ent_quotes, ' utf-8 ');
- echo "
Welcome back, {$html [' username ']}. ";
- ?>
Copy CodeTip the Htmlspecialchars () function is basically the same as the htmlentities () function, whose parameter definitions are identical, except that the escape of htmlentities () is more thorough. by $html[' username ' to output the username to the client, you can ensure that the special characters are not interpreted by the browser incorrectly. If the username contains only letters and numbers, it is not necessary to actually escape, but this embodies the principle of deep defense. Escaping any output is a very good habit and it can dramatically improve the security of your software. Another common output target is the database. If possible, the data in the SQL statement needs to be escaped using PHP built-in functions. For MySQL database users, the best escape function is mysql_real_escape_string (). Addslashes () is the last option if you are using a database that does not have PHP built-in escape functions available. For example, the correct escape technique for MySQL database:
- $mysql = Array ();
- $mysql [' username '] = mysql_real_escape_string ($clean [' username ']);
- $sql = "SELECT *
- From profile
- where username = ' {$mysql [' username ']} ';
- $result = mysql_query ($sql);
- ?>
Copy CodePHP Filter Parameters Special characters anti-injection PHP filter illegal and special string method PHP instance: Special Character Handler example replace PHP code with special characters in super long text |