Home > Article > Backend Development > The simplest sql anti-injection function and method in php_PHP tutorial
mysql tutorial_real_escape_string — Escape special characters in a string used in a SQL statement, taking into account the connection's current character set.
But note: this function does not escape % and _. In addition, it is best not to use this function for the entire SQL statement, but to escape only the string parameters passed into the SQL statement, otherwise unexpected results will occur.
$item = "Zak's and Derick's Laptop";
$escaped_item = mysql_real_escape_string($item);
printf ("Escaped string: %sn", $escaped_item);
?>
The addslashes() function adds a backslash before the specified predefined characters.
These predefined characters are:
Single quote (')
Double quotes (")
backslash ()
NULL
By default, the PHP directive magic_quotes_gpc is on, automatically running addslashes() on all GET, POST and COOKIE data. Do not use addslashes() on strings that have been escaped by magic_quotes_gpc, as this will result in double escaping. When encountering this situation, you can use the function get_magic_quotes_gpc() to detect it.
$str="jane & 'tarzan'"; //Define html string
echo html_entity_decode($str); //Output the converted content
echo "
";
echo html_entity_decode($str,ent_quotes); //Content output with optional parameters
For more details, please see: http://www.bKjia.c0m/phper/php-function/36439.htm