What are the commonly used escape functions in php?

Commonly used escape functions in php

1.addslashes

addslashes escapes special characters in SQL statements, including ('), ("), (), (NUL) four characters. This function is used when the DBMS does not have its own escape function, but if the DBMS If you have your own escape function, it is recommended to use the original function. For example, MySQL has the mysql_real_escape_string function to escape SQL.

Note that before PHP5.3, magic_quotes_gpc was enabled by default, mainly in $GET, Perform addslashes operations on $POST and $COOKIE, so there is no need to call addslashes repeatedly on these variables, otherwise it will double escaping.

However, magic_quotes_gpc has been abandoned in PHP5.3 and has been available since PHP5.4 It has been removed. If you use the latest version of PHP, you don’t have to worry about this problem. stripslashes is the unescape function of addslashes.

2. htmlspecialchars

htmlspecialchars Several special characters in HTML are escaped into HTML Entity (format: &xxxx;) form, including (&), ('), ("), (<), (>) five characters.

& (AND) => &
” (double quote) => " (when ENT_NOQUOTES is not set)
' (single quote) => ' ( When ENT_QUOTES is set)
< (less than sign) => <
> (greater than sign) => >

htmlspecialchars can be used to filter $GET, $ POST, $COOKIE data, prevent XSS.

Note that the htmlspecialchars function only escapes HTML characters that are considered to have security risks. If you want to escape all characters that can be escaped in HTML, please use htmlentities. htmlspecialchars_decode is the decode function of htmlspecialchars.

3. htmlentities

htmlentities escapes the escapable content in HTML into HTML Entity. html_entity_decode is the decode function of htmlentities.

4. mysql_real_escape_string

mysql_real_escape_string will call the MySQL library function mysql_real_escape_string, for (\x00), (\n), (\r), (), ('), (\x1a ) to escape, that is, add a backslash () in front to prevent SQL injection.

Note that you do not need to call stripslashes to unescape when reading the database data, because these backslashes are added when the database executes SQL, and the backslashes are used when writing the data to the database. will be removed, so the content written to the database is the original data, and there will be no backslashes in front.

5. strip_tags
strip_tags will filter out NUL, HTML and PHP tags.

6. Conclusion

PHP’s own security function cannot completely avoid XSS. It is recommended to use HTML Purifier

Recommended tutorial: "PHP Tutorial"

The above is the detailed content of What are the commonly used escape functions in php?. For more information, please follow other related articles on the PHP Chinese website!