For data security and to prevent injection, the string obtained by $_GET needs to be filtered. At the beginning, I wrote the filtering function myself, and then
Let’s see a filter function that comes with the PHP tutorial, so I recommend addslashes to everyone.
An example of using addslashes() is when you are entering data into a database tutorial. For example, change the name O'reilly
is inserted into the database, which requires escaping it. Most databases use as escape character: O'reilly. This
This way you can put data into the database without inserting extra . When the PHP directive magic_quotes_sybase is
When set to on, it means that ' will be escaped when inserting '.
Example:
MySQL tutorial and PHP come with many functions that can handle character problems. Here are a few that are frequently used.
ps tutorial: Since php6 does not support magic_quotes_gpc, the following things are assumed
On the condition that magic_quotes_gpc=off (I don’t know what new things will come out in php6...)
mysql_real_escape_string()
Definition: Function escapes special characters in strings used in SQL statements.
Syntax: mysql_real_escape_string(string,connection)
Description: This function escapes special characters in string and takes into account the current character set of the connection, so it can be safely used in
mysql_query().
Since the example code is too long, a function explanation link is given
This function escapes special characters in a string and takes into account the current character set of the connection, so it is safe to use with
mysql_query().
Database attacks. This example demonstrates what happens if we don’t apply the mysql_real_escape_string() function to username and password
What happens:
$con = mysql_connect("localhost", "hello", "321");
if (!$con)
{
die('Could not connect: ' . mysql_error());
}$sql = "SELECT * FROM users
WHERE user='{$_POST['user']}'
AND password='{$_POST['pwd']}'";
mysql_query($sql);//Do not check username and password
// It can be anything entered by the user, such as:
$_POST['user'] = 'john';
$_POST['pwd'] = "' OR ''='";// Some code...
mysql_close($con);
?>Then the SQL query will look like this:SELECT * FROM users
WHERE user='john' AND password='' OR ''='' This means no user needs to enter a valid passwordLogin
addSlashes()
Definition: The addslashes() function adds a backslash before the specified predefined characters.
Syntax: addslashes(string)
Note: By default, the PHP directive magic_quotes_gpc is on for all GET, POST and COOKIE
Data automatically runs addslashes(). Do not use
on strings that have been escaped by magic_quotes_gpcaddslashes(), because this will cause double escaping. When encountering this situation, you can use the function
get_magic_quotes_gpc() for detection.
Since the example code is too long, a function explanation link is given
Related functions
$str = "Is your name O'reilly?";
// Output: Is your name O'reilly?
echo addslashes($str);
?>StripSlashes() removes backslash characters
The stripslashes() function removes backslashes added by the addslashes() function.Grammar
stripslashes(string)echo stripslashes("Who's John Adams?");
?>