Related functions for PHP string escaping

Source: Internet
Author: User
Tags deprecated
PHP character escaping correlation function summary, sometimes for security reasons, we need to escape the user input string

There are incorrect or unclear points in the article, please point out the problem ~ ~ ~

The configuration and functions associated with the PHP string escape are as follows:
1.magic_quotes_runtime
2.magic_quotes_gpc
3.addslashes () and Stripslashes ()
4.mysql_escape_string ()
5.addcslashes () and Stripcslashes ()
6.htmlentities () and Html_entity_decode ()
7.htmlspecialchars () and Htmlspecialchars_decode ()

When Magic_quotes_runtime is open, most of PHP's functions automatically add backslashes to the overflow characters that are introduced externally (including database or file) data.
You can use Set_magic_quotes_runtime () and Get_magic_quotes_runtime () to set and detect their status.
Note: These two functions have been deprecated in versions above PHP5.3.0, which is said to be off when PHP5.3.0 or later.

MAGIC_QUOTES_GPC sets whether to automatically escape certain characters in the data coming from GPC (Get,post,cookie),
You can use GET_MAGIC_QUOTES_GPC () to detect its settings.
If this setting is not turned on, you can use the Addslashes () function to escape the string

Addslashes () adds a backslash before the specified predefined character.
Predefined characters include single quotation marks ('), double quotation marks ("), backslashes (\), and NUL (the NULL character).
These are the explanations given by W3SCHOOL.COM.CN, and my intuition is not very accurate.
Because it converts the single quotation mark (') to double quotation marks (") at Magic_quotes_sybase=on, the single quotation mark (') is converted to (\ ') at Magic_quotes_sybase=off.
The function of the stripslashes () function is just the opposite of Addslashes (), and its function is to remove the escaping effect.

Mysql_escape_string () escapes special characters in the string used in the SQL statement.
Special includes (\x00), (\ n), (\ r), (\), ('), ("), (\X1A)

Addcslashes () uses backslashes to escape characters in a string in the C language style, a function that few people use, but it should be noted that when you choose to escape characters 0,a,b,f,n,r,t and V, they are converted to \0,\a,\b,\f,\n,\r,\t and \v. In PHP, only (NULL), \ r (carriage return), \ n (newline character) and \ t (tab) are predefined escape sequences, whereas in C, all the converted characters above are predefined escape sequences. The function of Stripcslashes () is to remove its escape.

Htmlentities () converts a character to an HTML entity. (What is an HTML entity?) own Google Bar ~ ~)
For specific parameters see here, its inverse function html_entity_decode ()-Converts the HTML entity to a character.

The Htmlspecialchars () function converts some pre-defined characters to HTML entities.
These pre-defined characters are:
& (and number) becomes &
"(double quotes) becomes"
' (single quote) become '
< (less than) becomes <
> (greater than) becomes >
For detailed parameters see here, its inverse function is htmlspecialchars_decode () converts some predefined HTML entities to characters.

A little bit of your own experience:
>> multiple single-quote escapes may cause database security issues
>> does not recommend escaping with mysql_escape_string, it is recommended to escape when user input is obtained
>> since Set_magic_quotes_runtime () has been deprecated in PHP5.3.0 and later versions, the previous version suggests a unified configuration shutdown:
The code is as follows:

if (Phpversion () < ' 5.3.0 ') {set_magic_quotes_runtime (0);}

>> cannot define MAGIC_QUOTES_GPC through functions, so it is recommended to open the server uniformly, when writing the program should be judged, to avoid the security problems caused by the GPC not open
When the GPC is escaped by addslashes, it should be noted that when the user submits the array data, the filter of the key value and the value

The code is as follows:

if (!GET_MAGIC_QUOTES_GPC ()) {$_get = Daddslashes ($_get); $_post = Daddslashes ($_post); $_cookie = Daddslashes ($_COOKIE) ; $_files = Daddslashes ($_files); } function Daddslashes ($string, $force = 1) {if (Is_array ($string)) {foreach ($string as $key + = $val) {unset ($string [ $key]); $string [Addslashes ($key)] = Daddslashes ($val, $force); }} else {$string = Addslashes ($string);} return $string; }

>> to prevent XSS exploits by escaping HTML entities at user input or output!

today, I came across a special character to handle the file, and again notice the problem in PHP:

* PHP string with single quote delimiter, supports two escapes \ ' and \ \
* PHP string with double quotation mark delimiter, support the following escape:
\ n line break (LF or ASCII characters 0x0A (10))
\ r Enter (CR or ASCII character 0x0D (13))
\ t Horizontal tab (HT or ASCII character 0x09 (9))
\ \ Backslash
\$ dollar Sign
\ "Double quotation marks
\[0-7]{1,3} This regular expression sequence matches a character represented by an octal symbol
\x[0-9a-fa-f]{1,2} This regular expression sequence matches a character that is represented by a hexadecimal symbol

For a few examples:

An example of a special character that contains a:

$str = "FFFF\0FFFF"; Echo (strlen ($STR)); Echo ("\ n"); for ($i =0; $i <strlen ($STR); $i + +) echo ("\ T". Ord ($str {$i})); Echo ("\ n");

Output Result:
----------------------

9
102 102 102 102 0 102 102 102 102

Examples of replacing special characters

$str = "FFFF\0FFFF"; $str = Str_replace ("\x0", "", $str);   or with $STR = Str_replace ("n", "", $str);  or with $STR = Str_replace (chr (0), "", $str);  Echo (strlen ($STR)); Echo ("\ n"); for ($i =0; $i <strlen ($STR); $i + +) echo ("\ T". Ord ($str {$i})); Echo ("\ n"); Output Result:

----------------------
8
102 102 102 102 102 102 102 102

An example of an octal ASCII code:

Note that a string that conforms to the regular \[0-7]{1,3} represents an octal ASCII code. $str = "\0\01\02\3\7\10\011\08\8";  The \8 here do not meet the requirements and are amended to "\\8" (ASCII 92 and a) echo (strlen ($STR)); Echo ("\ n"); for ($i =0; $i <strlen ($STR); $i + +) echo ("\ T". Ord ($str {$i})); Echo ("\ n");

Output Result:
----------------------
11
0 1 2 3 7 8 9 0 56 92 56

Example of hexadecimal ASCII code:

$str = "\x0\x1\x2\x3\x7\x8\x9\x10\x11\xff"; Echo (strlen ($STR)); Echo ("\ n"); for ($i =0; $i <strlen ($STR); $i + +) echo ("\ T". Ord ($str {$i})); Echo ("\ n");

Output Result:
----------------------
10
0 1 2 3 7 8 9 16 17 255

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.