Detailed explanation of php special character escaping

$html = array( );
$html['username'] = htmlentities($clean['username'], ent_quotes, 'utf-8');
echo "< p>welcome back, {$html['username']}.";
?>

Tips The htmlspecialchars() function is basically the same as the htmlentities() function. Their parameter definitions are exactly the same, except that the escaping of htmlentities() is more thorough. By outputting username to the client via $html['username'], you can ensure that the special characters will not be misinterpreted by the browser. If the username only contains letters and numbers, escaping is actually not necessary, but this reflects the principle of defense in depth. Escaping any output is a very good habit and can dramatically improve the security of your software.

Another common output destination is the database. If possible, the data in the SQL statement needs to be escaped using PHP's built-in functions.

For mysql database users, the best escape function is mysql_real_escape_string(). If the database used does not have PHP's built-in escape function available, addslashes() is the last choice.

Example, correct escaping techniques for mysql database:

$mysql = array( );
$mysql['username'] = mysql_real_escape_string($clean['username']);
$sql = "select *
from profile
where username = '{$mysql['username']}'";
$result = mysql_query($sql);
?>

php filter parameters special characters anti-injection php method to filter illegal and special strings php example: example of special character processing function php code to replace special characters in extra long text