Commonly used escape functions in PHP_PHP tutorial

1. addslashes

addslashes escapes special characters in SQL statements, including ('), (“), (), (NUL) four characters, This function is used when the DBMS does not have its own escape function, but if the DBMS has its own escape function, it is recommended to use the original function. For example, MySQL has the mysql_real_escape_string function to escape SQL. Note that before PHP5.3, magic_quotes_gpc was the default. When enabled, it mainly performs addslashes operations on $GET, $POST, and $COOKIE, so there is no need to repeatedly call addslashes on these variables, otherwise it will double escaping. However, magic_quotes_gpc has been abandoned in PHP5.3 and has been in use since PHP5. .4 has been removed. If you use the latest version of PHP, you don’t have to worry about this problem. stripslashes is the unescape function of addslashes.

2. htmlspecialchars

htmlspecialchars. Escape several special characters in HTML into HTML Entity (format: &xxxx;), including (&), ('), ("), (<), (>) five characters.

& (AND) => > >< (less than sign) => <
> (greater than sign) => >
htmlspecialchars can be used to filter $GET, $POST, $COOKIE data to prevent XSS. Note that the htmlspecialchars function only escapes HTML characters that are considered to have security risks. If you want to escape all characters that can be escaped in HTML, please use htmlentities. htmlspecialchars_decode is the decode function of htmlspecialchars.


3. htmlentities

htmlentities escapes the escapable content in HTML into HTML Entity. html_entity_decode is the decode function of htmlentities.

4. mysql_real_escape_string

mysql_real_escape_string will call the MySQL library function mysql_real_escape_string, for (x00), (n), (r), (), ('), (x1a) Escape, that is, add a backslash () in front to prevent SQL injection. Note that you do not need to call stripslashes to unescape when reading the database data, because these backslashes are added when the database executes SQL, and the backslashes will be removed when the data is written to the database, so The content written to the database is the original data, and there will be no backslashes in front.

5. strip_tags

strip_tags will filter out NUL, HTML and PHP tags.

6. Conclusion

PHP’s own security functions cannot completely avoid XSS. It is recommended to use HTML Purifier

http://www.bkjia.com/PHPjc/736834.html

www.bkjia.comtruehttp: //www.bkjia.com/PHPjc/736834.htmlTechArticle1. addslashes addslashes escapes special characters in SQL statements, including ('), (") , (), (NUL) four characters, this function is used when the DBMS does not have its own escape function, but...