Some basic security handling techniques in PHP

There are built-in functions available in PHP for the escape of some common output destinations, including clients, database tutorials, and URLs.
If you want to write your own algorithm, it is important to be foolproof. You need to find a reliable and complete list of special characters in the external system, and how they are represented, so that the data is preserved rather than translated.
The most common output target is the client, which is the best way to use Htmlentities () to escape before the data is emitted. Like other string functions, it is entered as a string that is processed and output. But the best way to use the Htmlentities () function is to specify its two optional parameters: How to escape the quotes (the second argument) and the character set (the third parameter). The method of escaping the quotation marks should be specified as Ent_quotes, which is intended to escape both single and double quotes, which is most thorough and must match the character set used by the page.
To differentiate whether the data has been escaped, I recommend that you define a naming mechanism. For escape data that is output to the client, I use the $html array to store the data first initialized to an empty array, saving all filtered and escaped data.

<?php Tutorial
$html = Array ();
$html [' username '] = htmlentities ($clean [' username '], ent_quotes, ' UTF-8 ');
echo "<p>welcome back, {$html [' username ']}.</p>";
?>

Small Tips
The Htmlspecialchars () function is essentially the same as the htmlentities () function, whose parameter definitions are exactly the same, except that the escape of htmlentities () is more thorough. by $html[' username ' to the client, you can ensure that special characters are not browsed
Incorrectly interpreted by the device. If username contains only letters and numbers, it is not necessary to actually escape, but it embodies the principle of deep precaution. Escaping any output is a very good habit, and it can dramatically improve the security of your software.
Another common output target is the database. If possible, you need to escape the data in the SQL statement using the PHP built-in function. For MySQL users, the best escape function is the MySQL tutorial _real_escape_string (). If you are using a database without PHP built-in escape functions available, addslashes () is the final option.
The following examples illustrate the correct escape techniques for the MySQL database:

<?php
$mysql = Array ();
$mysql [' username '] = mysql_real_escape_string ($clean [' username ']);
$sql = "SELECT *
From profile
WHERE username = ' {$mysql [' username ']} ';
$result = mysql_query ($sql);
?>