PHP Word Escape Correlation Function Summary (escape string under PHP) _php tips

Source: Internet
Author: User
Tags ord strlen
The article has incorrect or the rhetoric is not clear place, the trouble everybody pointed out ~ ~ ~

The configuration and functions associated with the PHP string escape are as follows:
3.addslashes () and Stripslashes ()
4.mysql_escape_string ()
5.addcslashes () and Stripcslashes ()
6.htmlentities () and Html_entity_decode ()
7.htmlspecialchars () and Htmlspecialchars_decode ()

When Magic_quotes_runtime is open, most of the PHP functions automatically add backslashes to the overflow characters from externally introduced (including database or file) data.
You can use Set_magic_quotes_runtime () and Get_magic_quotes_runtime () to set and detect their status.
Note: These two functions have been discarded by the version above PHP5.3.0, and it is said that the option has been turned off when PHP5.3.0 or later.

The MAGIC_QUOTES_GPC setting automatically escapes certain characters in the data from the GPC (Get,post,cookie).
You can use GET_MAGIC_QUOTES_GPC () to detect its settings.
If this setting is not turned on, you can use the Addslashes () function to add the string to escape

Addslashes () adds a backslash before the specified predefined character.
Predefined characters include single quotes ('), double quotes ("), backslashes (\) and NUL (NULL characters).
The above is W3SCHOOL.COM.CN to explain my intuition is not very accurate
Because it converts a single quotation mark (') into a double quotation mark (') at the time of Magic_quotes_sybase=on, magic_quotes_sybase=off the single quotation mark (') to (')
The function of the stripslashes () function is just the opposite of Addslashes (), which is to remove the escaping effect.

Mysql_escape_string () escapes special characters in the string used in SQL statements.
The special include (\x00), (\ n), (\ r), (\), ('), ("), (\X1A)

Addcslashes () uses backslashes in the C language to escape characters in a string, a function that few people use, but it should be noted that when you choose to escape the characters 0,a,b,f,n,r,t and V, they are converted to \0,\a,\b,\f,\n,\r,\t and \v. In PHP, only the (NULL), \ r (carriage return), \ n (newline) and \ t (tab) are predefined escape sequences, whereas in C, all of the converted characters above are predefined escape sequences. The same stripcslashes () function is to remove its escape.

Htmlentities () converts characters to HTML entities. (What is an HTML entity?) Google it yourself ~ ~)
For specific parameters see here, its inverse function html_entity_decode ()-converts HTML entities to characters.

The Htmlspecialchars () function converts some predefined characters to HTML entities.
These predefined characters are:
& (and number) becomes &
"(double quotes) become"
' (single quotes) become '
< (less than) become <
> (greater than) become >
For detailed parameters see here, the inverse function is htmlspecialchars_decode () converts some predefined HTML entities into characters.

A little of your own experience:
>> multiple single quotes escaping may cause database security problems
>> It is not recommended to use mysql_escape_string for escape, it is recommended to escape when user input is obtained
>> since Set_magic_quotes_runtime () has been deprecated in the PHP5.3.0 and later versions, the previous version recommends a unified configuration shutdown:

Copy Code code as follows:

if (Phpversion () < ' 5.3.0 ') {
Set_magic_quotes_runtime (0);

>> can not define MAGIC_QUOTES_GPC by function, so it is recommended to be unified on the server, write the procedure should be in to judge, avoid not open GPC caused security problems
When the GPC is escaped through addslashes, attention should be paid to the filtering of key values and values when the user submits the array data

Copy Code code as follows:

$_get = Daddslashes ($_get);
$_post = Daddslashes ($_post);
$_cookie = Daddslashes ($_cookie);
$_files = Daddslashes ($_files);
function Daddslashes ($string, $force = 1) {
if (Is_array ($string)) {
foreach ($string as $key => $val) {
Unset ($string [$key]);
$string [Addslashes ($key)] = Daddslashes ($val, $force);
} else {
$string = Addslashes ($string);
return $string;

>> use to escape HTML entities when user input or output to prevent XSS vulnerabilities from being created!

today came across a deal with a special character of the file, and again notice the problem in PHP:

* PHP string with single quotation mark delimiter, support two escape \ ' and \
* A PHP string with double quotes as delimiters that supports the following escapes:
\ n line Wrap (LF or ASCII character 0x0A (10))
\ r Carriage return (CR or ASCII character 0x0D (13))
\ t Horizontal tab (HT or ASCII character 0x09 (9))
\ reverse Slash
\$ dollar Sign
\ "Double Quotes
\[0-7]{1,3} This regular expression sequence matches a character represented by a octal symbol
\x[0-9a-fa-f]{1,2} This regular expression sequence matches a character represented in hexadecimal notation

Give a few examples:

An example that contains the special characters:

$str = "FFFF\0FFFF";
Echo (strlen ($STR));
Echo ("\ n");
For ($i =0 $i <strlen ($STR); $i + +) echo ("\ T". Ord ($str {$i}));
Echo ("\ n");

Output results:

102 102 102 102 0 102 102 102 102

Example of replacing special characters

$str = "FFFF\0FFFF";
$str = Str_replace ("\x0", "", $str);
or use $STR = Str_replace ("" "," ", $str);
or with $STR = Str_replace (chr (0), "", $str);
Echo (strlen ($STR));
Echo ("\ n");
For ($i =0 $i <strlen ($STR); $i + +) echo ("\ T". Ord ($str {$i}));
Echo ("\ n");
Output results:
102 102 102 102 102 102 102 102

Octal ASCII code example:

Note that the string that conforms to the regular \[0-7]{1,3} represents an octal ASCII code.
$str = "\0\01\02\3\7\10\011\08\8"; The \8 here are not compliant and are amended to "\\8" (ASCII is 92 and 56)
Echo (strlen ($STR));
Echo ("\ n");
For ($i =0 $i <strlen ($STR); $i + +) echo ("\ T". Ord ($str {$i}));
Echo ("\ n");
Output results:
0 1 2 3 7 8 9 0 56 92 56

Hexadecimal ASCII code example:

$str = "\x0\x1\x2\x3\x7\x8\x9\x10\x11\xff";
Echo (strlen ($STR));
Echo ("\ n");
For ($i =0 $i <strlen ($STR); $i + +) echo ("\ T". Ord ($str {$i}));
Echo ("\ n");
Output results:
0 1 2 3 7 8 9 16 17 255

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.