PHP commonly used escape character functions

This article introduces the commonly used character escape functions and security functions in PHP. These functions can be used to filter most common attack methods, such as SQL injection.

Contents of this section: PHP escape character function usage.

1. addslashes addslashes escapes special characters in SQL statements, including ('), ("), (), (NUL) four characters. This function is used when the DBMS does not have its own escape function, but if the DBMS has its own Escape function, it is recommended to use the original function. For example, MySQL has the mysql_real_escape_string function to escape SQL. Note that before PHP5.3, magic_quotes_gpc is enabled by default, which mainly performs addslashes on $GET, $POST, and $COOKIE. operation, so there is no need to call addslashes repeatedly on these variables, otherwise it will double escaping. However, magic_quotes_gpc has been abandoned in PHP5.3 and has been removed since PHP5.4. If you use the latest version of PHP, you don’t have to worry. This question. stripslashes is the unescape function of addslashes.

2.htmlspecialchars htmlspecialchars escapes several special characters in HTML into HTML Entity (format: &xxxx;) form, including (&), (‘), (“), (

) five characters. & (AND) => & " (double quotes) => " (when ENT_NOQUOTES is not set) ' (single quote) => ' (when ENT_QUOTES is set) (greater than sign) => > htmlspecialchars can be used to filter $GET, $POST, $COOKIE data to prevent XSS. Note that the htmlspecialchars function only escapes HTML characters that are considered security risks. If you want to escape all characters that can be escaped in HTML, please use htmlentities. htmlspecialchars_decode is the decode function of htmlspecialchars.

3.htmlentities htmlentities escapes the escapable content in HTML into HTML Entities. html_entity_decode is the decode function of htmlentities.

4. mysql_real_escape_string mysql_real_escape_string will call the MySQL library function mysql_real_escape_string to escape (x00), (n), (r), (), (‘), (x1a), that is, add a backslash () in front to prevent SQL injection. Note that you do not need to call stripslashes to unescape when reading the database data, because these backslashes are added when the database executes SQL, and the backslashes will be removed when the data is written to the database, so The content written to the database is the original data, and there will be no backslashes in front.

5. strip_tags strip_tags will filter out NUL, HTML and PHP tags.

6. Conclusion The security functions that come with PHP cannot completely avoid XSS. It is recommended to use HTML Purifier.

Detailed explanation of PHP escaping usage

Magic quotation function for data in php magic_quotes_gpc or magic_quotes_runtime When set to on, when the data we quote encounters single quotes', double quotes" and backslashes, backslashes are automatically added to help us automatically translate symbols and ensure the correct operation of data operations. The difference between the two: magic_quotes_gpc The scope of action is: WEB client server; When: The request starts, for example when the script is run. magic_quotes_runtime Scope of scope: Data read from a file or the result of executing exec() or obtained from a SQL query; Time of action: Every time the script accesses data generated in the running state. As can be seen The setting value of magic_quotes_gpc will affect the data obtained through Get/Post/Cookies The setting value of magic_quotes_runtime will affect the data read from the file or the data obtained from the database query Several functions that I want to associate: set_magic_quotes_runtime(): Set the magic_quotes_runtime value. 0=off. 1=on. The default state is off. You can view magic_quotes_runtime through echo phpinfo(); get_magic_quotes_gpc(): View magic_quotes_gpc value.0=off.1=on get_magic_quotes_runtime(): Check the magic_quotes_runtime value. 0=off. 1=on. Note that there is no set_magic_quotes_gpc() function, that is, the value of magic_quotes_gpc cannot be set in the program. Due to the setting problem of the two values, it will cause some confusion during programming or add an extra escape. In this case, it needs to be set and judged at the beginning of the program, or the default configuration Both values ​​are off. The escaping part is performed programmatically. To ensure that the data is inserted normally, addslashes is usually used to process it. When reading data, stripslashes is often used to remove the added backslashes. Similar character conversion functions in php

addslashes adds a backslash before the predefined characters specified by stripslashes removes backslashes added by addslashes() function htmlspecialchars converts some predefined characters into HTML entities htmlspecialchars_decode converts some predefined HTML entities into characters html_entity_decode() converts HTML entities into characters htmlentities() Convert characters to HTML entities