Security Functions in PHP

Security is a very important aspect of programming. In any programming language, a number of functions or modules are provided to ensure the security of the program. In modern web site applications, it is often to get input from users around the world, but we all know that "you can never trust data entered by those users." So in a variety of web development languages, there are functions that guarantee user input data security. Today, let's take a look at some of the useful security functions in the famous open source language PHP.

In PHP, some useful functions open source is very convenient to prevent your site from being subjected to various attacks, such as SQL injection attacks, XSS (cross site Scripting: Inter-site scripting) attacks and so on. Take a look at the commonly used functions in PHP that ensure project security. Note that this is not a complete list, it is something that I think has some functions for your I project.

1. addslashes

addslashes Returns a string that is preceded by a backslash in order for the database query statement to be preceded by some characters. These characters are single quotation marks ('), double quotation marks ("), backslashes (\), and NULL NUL (characters).

An example of using addslashes () is when you want to enter data into the database. For example, the name O ' Reilly is inserted into the database, which needs to be escaped. It is strongly recommended to use the escaped function specified by the DBMS (for example, MySQL is mysqli_real_escape_string () and PostgreSQL is pg_escape_string ()), but if you are using a DBMS You can use this function without an escape function and using \ to escape special characters. Just to get the data inserted into the database, the extra \ is not inserted. When PHP instruction Magic_quotes_sybase is set to on, it means that the Insert ' will be used ' to escape.

PHP 5.4 before PHP magic_quotes_gpc default is on , in fact, all get, POST and COOKIE data are used by addslashes () . Do not use Addslashes () for strings that have been MAGIC_QUOTES_GPC escaped , because this results in double-layer escaping. You can use the function GET_MAGIC_QUOTES_GPC () to detect this situation.

The unescape function of stripslashes as Addslashes

<?php$str = "Is your name O ' Reilly?"; /output: Is your name o\ ' Reilly?echo addslashes ($STR);? >

2. Htmlspecialchars

Htmlspecialchars escapes several special characters in HTML into the form HTML Entity (format:&xxxx;), including (&), ('), ("), (<), (>) five characters.

& (AND) => &amp;” (双引号) => &quot; (当ENT_NOQUOTES没有设置的时候)‘ (单引号) => &#039; (当ENT_QUOTES设置)< (小于号) => &lt;> (大于号) => &gt;   

Htmlspecialchars can be used to filter $get, $POST, $COOKIE data, and prevent XSS. Note that the Htmlspecialchars function simply escapes HTML characters that are considered to have security implications, and if you want to escape all the characters that can be escaped from HTML, use Htmlentities.

Htmlspecialchars_decode is the decode function for Htmlspecialchars.

HTML Entity comparison table: http://www.w3school.com.cn/html/html_entities.asp

As of PHP 5.4 they changed default encoding from "ISO-8859-1" to "UTF-8". So if you get null from htmlspecialchars or htmlentities


<?phpecho Htmlspecialchars ($string); Echo htmlentities ($string);? >

you can fix it by

<?phpecho Htmlspecialchars ($string, Ent_compat, ' iso-8859-1 ', true); Echo htmlentities ($string, Ent_compat, ' Iso-8859-1 ', true);

3. Htmlentities

Htmlentities escapes the contents of HTML that can be escaped to HTML Entity. Html_entity_decode is the decode function for htmlentities.

4. Mysql_real_escape_string

Mysql_real_escape_string will call the MySQL library function mysql_real_escape_string, to (\x00), (\ n), (\ r), (\), ('), (\x1a) to escape, that is, to precede the backslash (), Prevent SQL injection. Note that you do not need to call stripslashes to unescape when reading database data, because these backslashes are added when the database executes SQL, and the backslash is removed when the data is written to the database, so the content written to the database is the original data. Does not have a backslash in front of it.

However, it is deprecated to use mysql_real_escape_string (), and all new applications should perform database operations using a function library like PDO

5. Strip_tags

Strip_tags will filter out nul,html and PHP tags, JavaScript, of course, you can also set the function of the second parameter, so that some specific tags appear

<?php$text = ' <p>test paragraph.</p><!--Comment-to <a href= "#fragment" >other text</a > '; echo strip_tags ($text); echo "\ n";//Allow <p> and <a>echo strip_tags ($text, ' <p><a> '); >

Output results

Test paragraph. Other text<p>test paragraph.</p> <a href= "#fragment" >other text</a>

6, Safe_mode

Removed from PHP, and generates a fatal E_CORE_ERROR level error is enabled.

You can restrict the specified function by configuring the list of disable_functions functions in php.ini

7, MAGIC_QUOTES_GPC

This function is on by default in PHP <= 4.2.3, which automatically escapes the ', ', and spaces in the value submitted by GPC (Get/post/cookie), and PHP5.4 GET_MAGIC_QUOTES_GPC () returns false by default.

is essentially unaffected, detects the state first, and then escapes with mysql_real_escape_string

8, Register_globals

Description: This function, although starting from php>>4.2, is changed from on to off by default, but if the programmer turns it on, it will cause security issues such as variable overrides, especially when combined with file containment vulnerabilities.

Can be combined with the previous Sablog source in the function of the rewrite (using the Extract function).

9, Session_register

Deleted (Session_unregister (), session_is_registered delete), use this function to register session variables with session authentication.

Register variables with the $_session array.

10. Conclusion

PHP comes with a security function that does not completely avoid XSS, and it is recommended to use HTML purifier

Json_encodejavascript function name (JSONP) with regular filter input filtering should be used to resolve business constraints instead of addressing XSS injections when outputting HTML code when htmlspecialchars output JavaScript code

Reference address

Http://www.pixelstech.net/article/1300722997-Useful-functions-to-provide-secure-PHP-application

Security Functions in PHP