How to perform character filtering in php

How to filter characters in php

The configurations and functions related to PHP string escaping are as follows:
1.magic_quotes_runtime
2.magic_quotes_gpc
3.addslashes() and stripslashes()
4.mysql_escape_string()
5.addcslashes() and stripcslashes()
6.htmlentities() and html_entity_decode()
7.htmlspecialchars() and htmlspecialchars_decode()

When magic_quotes_runtime is turned on, most functions in PHP automatically add backslashes to overflow characters in data imported from outside (including databases or files).
You can use set_magic_quotes_runtime() and get_magic_quotes_runtime() to set and detect its status.
Note: These two functions have been deprecated in PHP 5.3.0 or above, which means that this option is turned off in PHP 5.3.0 or above.
?
magic_quotes_gpc sets whether to automatically escape certain characters in the data transmitted by GPC (GET, POST, COOKIE),
Its setting can be detected using get_magic_quotes_gpc().
If this setting is not turned on, you can use the addslashes() function to add to the string to escape

addslashes()? Adds a backslash before the specified predefined characters.
Predefined characters include single quote ('), double quote ("), backslash () and NUL (NULL character).
The above is the explanation given by W3SCHOOL.COM.CN. I have always felt that it is not very accurate
Because when magic_quotes_sybase=on it converts single quotes (') into double quotes (") and when magic_quotes_sybase=off it converts single quotes (') into (')
The function of the stripslashes() function is exactly the opposite of addslashes()?, its function is to remove the escaping effect.

mysql_escape_string() escapes special characters in strings used in SQL statements. ?
The special ones here include (x00), (n), (r), (), ('), ("), (x1a)

addcslashes()? uses backslashes to escape characters in a string in C language style. This function is rarely used by people, but it should be noted that when selecting characters 0, a, b, f, n, r, When t and v are escaped, they are converted to
htmlentities() Convert characters to HTML entities. (What is an HTML entity? Google it yourself~~)
See here for specific parameters. Its inverse function html_entity_decode() -? converts HTML entities into characters.

The htmlspecialchars() function converts some predefined characters into HTML entities.
These predefined characters are:
& (ampersand) becomes &
" (double quote) becomes "
' (single quote) becomes '
< (less than) becomes <
> (greater than) become >
?Please see here for detailed parameters. The inverse function is htmlspecialchars_decode() to convert some predefined HTML entities into characters.

A little bit of my own experience:
>>Multiple single quote escapes may cause database security issues
>> It is not recommended to use mysql_escape_string for escaping. It is recommended to escape when obtaining user input
>> Since set_magic_quotes_runtime()? has been abandoned in PHP5.3.0 and later versions, it is recommended to turn it off in a unified configuration for previous versions:

Copy the codeThe code is as follows:

if(phpversion() < '5.3.0') {
set_magic_quotes_runtime(0);
}

?>> Magic_quotes_gpc cannot be defined through a function, so it is recommended to enable it uniformly on the server. You should make a judgment when writing a program to avoid security issues caused by not enabling GPC
When escaping GPC through addslashes, attention should be paid to the filtering of keys and values ​​when users submit array data

Copy the codeThe code is as follows:

if(!get_magic_quotes_gpc()) {
$_GET = daddslashes($_GET);
$_POST = daddslashes($_POST);
$_COOKIE = daddslashes($_COOKIE);
$_FILES = daddslashes($_FILES);
}
function daddslashes($string, $force = 1) {
if(is_array($string)) {
foreach($string as $key => $val) {
unset($string[$key]);
$string[addslashes($key)] = daddslashes($val, $force);
}
} else {
$string = addslashes($string);
}
return $string;
}

?>> Use escaping HTML entities when user input or output to prevent XSS vulnerabilities!

Today I came across an issue dealing with special characters in files, and I noticed this problem again, in php:

* PHP string with single quotes as delimiter, supports two escapes ' and \
* PHP strings with double quotes as delimiters support the following escapes:
n Line feed (LF or ASCII character 0x0A (10))
r Carriage return (CR or ASCII character 0x0D (13))
t horizontal tab character (HT or ASCII character 0x09 (9))
\ Backslash
$ dollar sign
" "Double quotes
[0-7]{1,3} This regular expression sequence matches a character represented in octal notation
x[0-9A-Fa-f]{1,2} This regular expression sequence matches a character represented in hexadecimal notation

Here are a few examples:

one contains
$str = "ffff echo(strlen($str));
echo("n");
for($i=0;$i echo("n");

Output result:
--------------------------

9
102 102 102 102 0 102 102 102 102

Example of replacing special characters

$str = "ffff $str = str_replace("x0", "", $str);
//Or use $str = str_replace(" //Or use $str = str_replace(chr(0), "", $str);
echo(strlen($str));
echo("n");
for($i=0;$i echo("n");
Output result:
--------------------------
8
102 102 102 102 102 102 102 102


Octal ascii code example:

//Note that a string that conforms to the regular pattern [0-7]{1,3} represents an octal ASCII code.
$str = " echo(strlen($str));
echo("n");
for($i=0;$i echo("n");
Output result:
--------------------------
11
0 1 2 3 7 8 9 0 0 56 92 56

Hexadecimal ascii code example:

$str = "x0x1x2x3x7x8x9x10x11xff";
echo(strlen($str));
echo("n");
for($i=0;$i echo("n");
Output result:

The above introduces how to perform character filtering in PHP, including the content of PHP character filtering. I hope it will be helpful to friends who are interested in PHP tutorials.