Security Functions in PHP

1. addslashes

Addslashes returns a string that is preceded by a backslash in order for the database query statement to be preceded by some characters. These characters are single quotes ('), double quotation marks ("), backslashes (\), and NUL (the NULL character). An example of using addslashes () is when you want to enter data into the database. For example, the name O ' Reilly is inserted into the database, which needs to be escaped. It is strongly recommended to use the escaped function specified by the DBMS (for example, MySQL is mysqli_real_escape_string () and PostgreSQL is pg_escape_string ()), but if you are using a DBMS that does not have an escape function and uses the \ to escape special characters, you can use this function. Just to get the data inserted into the database, the extra \ is not inserted. When PHP instruction Magic_quotes_sybase is set to ON, it means that the insert ' will be used ' to escape. PHP 5.4 before PHP magic_quotes_gpc default is on, in fact, all get, POST and COOKIE data are used by Addslashes (). Do not use Addslashes () for strings that have been MAGIC_QUOTES_GPC escaped, because this results in double-layer escaping. You can use the function GET_MAGIC_QUOTES_GPC () to detect this situation. The unescape function of stripslashes as Addslashes

 2. HtmlspecialcharsHtmlspecialchars escapes several special characters in HTML into the HTML Entity format:&xxxx;) Form, including (&), ('), ("), (<),(>) of five characters. & (and) =&amp;"(double quotes) = =&quot;(when Ent_noquotes is not set) ' (single quote) = & #039; (when Ent_quotes set)<(less than sign) => &lt;> (greater than sign) + =&gt;Htmlspecialchars can be used to filter get,post, $COOKIE data, and prevent XSS. Note that the Htmlspecialchars function simply escapes HTML characters that are considered to have security implications,
Use Htmlentities if you want to escape all characters that can be escaped in HTML. The decode function of Htmlspecialchars_decode as Htmlspecialchars

3. HtmlentitiesHtmlentities escapes the contents of HTML that can be escaped to HTML Entity. Html_entity_decode is the decode function for htmlentities.

4. mysql_real_escape_stringmysql_real_escape_string will call the MySQL library function mysql_real_escape_string, to (\x00), (\ n), ( \ r), (\), ('), (\x1a) escaped,
The preceding backslash () is added to prevent SQL injection. Note that you do not need to call stripslashes to unescape when reading database data, because these backslashes are added when the database executes SQL.
The backslash is removed when the data is written to the database, so the content that is written to the database is the original data and is not preceded by a backslash but is now deprecated with mysql_real_escape_string (). All new applications should perform database operations using a library of functions like PDO

5. Strip_tags

Security Functions in PHP