Questions about the escape of submitted content

Source: Internet
Author: User
For more information about the submitted content escaping, please refer to the following link: Generally, when writing a PHP program, do you need to execute escaping before the textarea data is submitted to the database? because if there is php code in the content submitted by textarea will execute the PHP code in it. if you want to escape, what function is generally used? ------ solution ------------------ the external POST data will only be processed as a string, it is not executed as code. Question about escaping the submitted content entered by the user
When I write a PHP program
Whether to perform escape processing before the textarea data is submitted to the database
Because if php code is included in the content submitted by textarea, PHP code in the content may be executed.
What functions are generally used to escape them?

------ Solution --------------------
External POST data is processed only as strings and not as code. Filtering user input is a good habit. it can prevent SQL injection. both functions can be used in this respect.
Compared with addslashes, htmlspecialchars can also help you prevent XSS attacks. Therefore, the former is recommended.
------ Solution --------------------

Execute PHP code? Nonsense.

Enter the database addslashes.

------ Solution --------------------
The core of anti-SQL injection is to escape single and double quotation marks
Htmlspecialchars will escape it as an HTML object
Addslashes will add the escape character \ before the quotation marks, so Mysql will regard this as a normal quotation mark, rather than the string boundary mark.
------ Solution --------------------
The htmlspecialchars () function converts some predefined characters into HTML objects.
The predefined characters are:
& (And number) become &
"(Double quotation marks)"
'(Single quotes)'
<(Less than) becomes <
> (Greater than) become>

The addslashes () function adds a backslash before the specified predefined character.
The predefined characters are:
Single quotes (')
Double quotation marks (")
Backslash (\)

After comparing them, you will know what you should choose. textarea should also consider it...


Ask someone in the group today to say this.
Htmlspecialchars is only used to process some characters in HTML. if you use addslashes or mysql_escape_string to escape the characters, no problem will occur.

A little dizzy --

------ Solution --------------------
Htmlspecialchars converts the ampersand, single double quotation marks, greater than or less than signs into HTML format
& Convert &
> Convert to>

Htmlentities () all characters are converted to HTML format. in addition to the above htmlspecialchars characters, the two-byte characters are also displayed as encoding characters.

Addslashes single double quotation marks, backslash and NULL plus backslash escape
The modified characters include single quotation marks ('), double quotation marks ("), backslash (\), and NULL.

Stripslashes removes the backslash character from the string. If there are two backslash lines in a row, remove one and leave one. If there is only one backslash, remove it directly.

Quotemeta adds a reference symbol to include. \ + *? [^] ($) And other characters are preceded by the backslash "\" symbol.
Nl2br () converts a line break

Strip_tags remove HTML and PHP tags remove any HTML and PHP tags in the string, including the contents between Mark blocking. Note: if the HTML and PHP tags of the string are incorrect, an error is returned.

Special character escape \ x00 \ n \ r space \ '"\ x1a in mysql_real_escape_string escape SQL string, which is very effective for processing multi-byte characters. Mysql_real_escape_string determines the character set, and mysql_escape_string does not need to be considered.

------ Solution --------------------
Whether it is input or program-generated data, you may need to escape the special character "'" in the data warehouse.
The reason is simple:
Php transmits a string to the database. the database parses the string to complete the corresponding operation.
The database and the user have a convention: the character type value is enclosed in single quotes.
So when single quotes appear in the data, the database cannot accurately know whether the single quotes are single quotes or the string end mark.
So there is an escape.

As to whether other processing is required for warehouse receiving, the benevolent sees the wise.
I don't think it is necessary. the database is just a warehouse. what should be put in and retrieved?
To maximize data integrity, make necessary processing when getting and using data.

Of course, you must filter and process the incoming data. but when you want to check the original data that day, it is absolutely impossible.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.