Home >Backend Development >PHP Tutorial >Analysis of 8 little-known security functions in PHP, php little-known functions_PHP tutorial

Analysis of 8 little-known security functions in PHP, php little-known functions_PHP tutorial

WBOY
WBOYOriginal
2016-07-13 10:12:08818browse

Analysis of 8 little-known security functions in PHP, little-known functions in PHP

This article describes 8 little-known security functions in PHP with examples. Share it with everyone for your reference. The specific analysis is as follows:

Security is a very important aspect of programming. In any programming language, many functions or modules are provided to ensure the safety of the program. In modern website applications, it is often necessary to obtain input from users around the world, but we all know that "the data entered by those users can never be trusted." Therefore, in various web development languages, functions are provided to ensure the security of user input data. Here we take a look at the useful security functions in the famous open source language PHP.

In PHP, some useful functions are open sourced and are very convenient to prevent your website from various attacks, such as SQL injection attacks, XSS (Cross Site Scripting) attacks, etc. Let’s take a look at the commonly used functions in PHP that can ensure project security. Note that this is not a complete list, just some functions that I think will be useful for your i project.

1. mysql_real_escape_string()

This function is very useful in preventing SQL injection attacks in PHP. This function adds a backslash to special characters such as single quotes, double quotes, backslashes, etc. to ensure that the input provided by the user is clean before querying this data. But please note that you are using this function under the premise of connecting to the database.
But using mysql_real_escape_string() is no longer recommended. All new applications should use a function library like PDO to perform database operations. In other words, we can use ready-made statements to prevent SQL injection attacks.

2. addslashes()

The principle of this function is similar to mysql_real_escape_string(). But when the value of "magic_quotes_gpc" is "on" in the php.ini file, do not use this function. The default value of magic_quotes_gpc is on, which automatically runs addslashes() on all GET, POST and COOKIE data. Do not use addslashes() on strings that have been escaped by magic_quotes_gpc, as this will result in double escaping. You can use the get_magic_quotes_gpc() function to determine whether it is enabled.

3. htmlentities()

This function is very useful for filtering user-entered data. It will convert some special characters into HTML entities. For example, when the user inputs <, it will be converted into an HTML entity< (<) by this function, and when the user inputs >, it will be converted into an entity>.

4. htmlspecialchars()

In HTML, some specific characters have special meanings. If you want to maintain the original meaning of the characters, they should be converted into HTML entities. This function will return the converted string, for example, '&' (ampersand) is converted to '&'

ps: There is an error in the original text here. Thank you very much Jin Yu for bringing it up. It has been corrected, and the common conversion characters for this function are also attached:

The translations performed are:
'&' (ampersand) becomes '&'
'"' (double quote) becomes '"' when ENT_NOQUOTES is not set.
"'" (single quote) becomes ''' (or ') only when ENT_QUOTES is set.
'<' (less than) becomes '<'
'>' (greater than) becomes '>'

5. strip_tags()

This function can remove all HTML, JavaScript and PHP tags from the string. Of course, you can also make some specific tags appear by setting the second parameter of the function.

6. md5()

From a security perspective, the behavior of some developers storing simple passwords in the database is not recommended. The md5() function can generate a 32-character md5 hash of a given string, and this process is irreversible, that is, you cannot get the original string from the result of md5().
Currently this function is not considered secure because open source databases can reverse-check the plaintext of a hash value. You can find a list of MD5 hash databases here

7. sha1()

This function is similar to md5(), but it uses a different algorithm to produce a 40-character SHA-1 hash (md5 produces a 32-character hash). Don't rely on this function for absolute safety, otherwise there will be unexpected results.

8. intval()

Don’t laugh yet, I know this function has nothing to do with security. The intval() function converts variables into integer types. You can use this function to make your PHP code safer, especially when you are parsing data such as ID and age.

Attached here is the original English address: http://www.pixelstech.net/article/1300722997-Useful-functions-to-provide-secure-PHP-application

I hope this article will be helpful to everyone’s PHP programming design.

www.bkjia.comtruehttp: //www.bkjia.com/PHPjc/924538.htmlTechArticleAnalysis of 8 little-known security functions in PHP, php little-known functions This article tells the example of 8 little-known security functions in PHP A little-known security function. Share it with everyone for your reference. The specific analysis is as follows:...
Statement:
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn