There are built-in functions available in PHP for escaping some common output targets, including clients, database tutorials, and URLs.
If you're going to write your own algorithm, it's important to be foolproof. It is necessary to find a reliable and complete list of special characters in the foreign system and how they are represented so that the data is preserved rather than translated.
The most common output destination is the client, and using htmlentities() to escape the data before emitting it is the best approach. Like other string functions, its input is a string, which is processed and output. But the best way to use the htmlentities() function is to specify its two optional parameters: the way to escape quotes (the second parameter) and the character set (the third parameter). The escaping method of quotation marks should be specified as ENT_QUOTES. Its purpose is to escape single quotation marks and double quotation marks at the same time. This is the most thorough. The character set parameter must match the character set used by the page.
In order to distinguish whether the data has been escaped, I still recommend defining a naming mechanism. For the escaped data output to the client, I use the $html array for storage, which is first initialized to an empty array to save all filtered and escaped data.
$html = array( );
$html['username'] = htmlentities($clean['username'], ENT_QUOTES, 'UTF-8');
echo "Welcome back, {$html['username']}.
";
?>
Tips
The htmlspecialchars() function is basically the same as the htmlentities() function. Their parameter definitions are exactly the same, except that the escaping of htmlentities() is more thorough. By outputting username to the client via $html['username'], you can ensure that the special characters in it will not be viewed
The instrument was misinterpreted. If the username only contains letters and numbers, escaping is actually not necessary, but this reflects the principle of defense in depth. Escaping any output is a very good habit and can dramatically improve the security of your software.
Another common output destination is a database. If possible, you need to use PHP's built-in functions to escape the data in the SQL statement. For MySQL users, the best escape function is mysqltutorial_real_escape_string(). If the database you are using does not have PHP's built-in escaping functions available, addslashes() is the last resort.
The following example illustrates correct escaping techniques for the MySQL database:
$mysql = array( );
$mysql['username'] = mysql_real_escape_string($clean['username']);
$sql = "SELECT *
FROM profile
WHERE username = '{$mysql['username']}'";
$result = mysql_query($sql);
?>