Some functions that are helpful for PHP security

Security has always been a very interesting aspect in programming languages. In any mature programming language, there is an appropriate way to ensure the security of the program, in modern WEB development

Security has always been a very interesting aspect in programming languages. In any mature programming language there is an appropriate way to ensure the security of the program, in modern WEB development, we often need to deal with user input. (then the problem comes) there is a programming maxim: Never trust the security of user input. So, today, here are some of the most common ways to provide security for your code in PHP.

There are many handy functions in PHP that can help you avoid XSS attacks like SQL injection. Now let's take a look at the functions that add security to your project. However, please note that this is just a list of some commonly used functions, perhaps they are not comprehensive, but I believe they are very helpful to your project.

Mysql_real_escape_string (String sqlquery):

Escapes special characters in the string used in the SQL statement, taking into account the current character set of the connection. A very useful function that can effectively avoid SQL injection.

The following characters are converted:

\x00,\n,\r,\, ', ', \x1a

The use of this function for SQL query to be executed will kill some of the dangers in the cradle before executing the SQL statement.

But now generally in more mature projects, it is generally preferable to use a database persistence layer like PDO to handle all database operations. They represent more advanced database manipulation techniques, which are much more powerful than the old mysql_* APIs in the security and speed of data reading and writing.

Addslashes ():

This function is useful when inserting some data into a database, which can precede the single quotation mark with a backslash so that the data is inserted without errors. But its use is related to a setting in PHP.ini-MAGIC_QUOTES_GPC

1. For PHP magic_quotes_gpc=on, we can not do addslashes () and stripslashes () for the input and output database string data, and the data will be displayed normally.

If you do a addslashes () processing of the input data at this point, you must use Stripslashes () to remove the extra backslash when you output it.

2. In the case of PHP Magic_quotes_gpc=off

The input data must be processed using addslashes (), but you do not need to format the output with Stripslashes () because addslashes () does not write the backslash to the database, but only helps MySQL complete the execution of the SQL statement.

"Stripslashes (): Removes the backslash added by the addslashes () function. 】

Htmlentities ():

A very useful function to handle the output. It is used to convert characters that might cause XXS attacks to HTML entities, which are normal when the browser is displayed, but when you look at its source code, the special characters will not actually be displayed, for example

Output:

John & ' Adams '

Source:

john &  ' Adams ';

Output:

<>

Source:

&lt;&gt;gt;

Coding these symbols effectively avoids XSS attacks.

Htmlspecialchars ():

It's the same as the above function, but it's more common because htmlentities () converts all the characters that have been defined in the HTML standard to their corresponding HTML entities, so that your output is not readable (HTML entity list/HTTP// www.w3school.com.cn/tags/html_ref_entities.html). So, using htmlspecialchars () simply translates some of the predefined characters (that is, the problem) into an HTML entity. For example:

& (and number) becomes &

"(double quotes) becomes"

' (single quote) become '

< (less than) becomes <

> (greater than) becomes >

So, in some projects, I often use htmlspecialchars () to handle the output of HTML. He was more specific in the area of security.

Strip_tags (): Typically used in output, stripped of HTML, XML, and PHP tags.

Function prototype: strip_tags (String,allow)

String, which represents the input strings, allow represents a label that is not deleted, and you can customize the label that you want to filter out by

MD5 ():

A function that converts a string to a 32-bit hash value (cannot be decrypted backwards), and any string can get a unique 32-bit string through this function. However, when using this function, it is important to note that some databases record a large number of MD5 values and break your password by brute force enumeration, so you can get better results by adding a layer of your original string and then using the MD5 () hash before using it.

SHA1 ():

and MD5 () and a similar function, but he uses a different algorithm to generate a 40-character string. You can consider using it in your project.

Intval ():

Perhaps you think this function is not a security function. However, it can protect your code well in some cases. Some of the data collected from users, such as id,password,username processing, may be able to eliminate some security risks, after all, this is the hardest hit.

Some functions that are helpful for PHP security