php escape functions include: 1. addslashes() function; 2. htmlspecialchars() function; 3. htmlentities() function; 4. mysql_real_escape_string() function; 5. strip_tags() function.
The operating environment of this tutorial: windows7 system, PHP7.1 version, DELL G3 computer
1. addslashes
addslashes escapes special characters in SQL statements, including ('), (“), (), (NUL) four characters.
This function is used when the DBMS does not have its own escape function, but if the DBMS has its own escape function, it is recommended to use the original function. For example, MySQL has the mysql_real_escape_string function to escape SQL.
Note that before PHP5.3, magic_quotes_gpc was enabled by default, mainly in $GET, $POST, Perform addslashes operation on $COOKIE, so there is no need to call addslashes repeatedly on these variables, otherwise it will be double escaping.
However, magic_quotes_gpc has been abandoned in PHP5.3 and has been removed since PHP5.4. If you use the latest version of PHP, you don’t have to worry about this problem. stripslashes is the unescape function of addslashes.
2.
htmlspecialchars
htmlspecialchars escapes several special characters in HTML into HTML Entity (format: &xxxx;) form, including (&), ('), ("), (<), (>) five characters.
& (AND) => &
” (double quotes) => " (when ENT_NOQUOTES is not set)
' (single quotes)
=> ' (when ENT_QUOTES is set)
< (less than sign) => <
> (greater than sign) => >
htmlspecialchars can be used to filter $GET, $POST, $COOKIE data to prevent XSS. Note that the htmlspecialchars function only escapes HTML characters that are considered to have security risks. If you want to escape all characters that can be escaped in HTML, please use htmlentities. htmlspecialchars_decode is the decode function of htmlspecialchars.
3. htmlentities
htmlentities escapes the escapable content in HTML into HTML Entity. html_entity_decode is the decode function of htmlentities.
4. mysql_real_escape_string
mysql_real_escape_string will call the MySQL library function mysql_real_escape_string, yes (\x00), (\n), (\r), (), (‘), (\x1a) to escape, that is, add a backslash () in front to prevent SQL injection. Note that you do not need to call stripslashes to unescape when reading the database data, because these backslashes are added when the database executes SQL, and the backslashes will be removed when the data is written to the database, so The content written to the database is the original data, and there will be no backslashes in front.
5. strip_tags
strip_tags will filter out NUL, HTML and PHP tags.
Recommended learning: "PHP Video Tutorial"
The above is the detailed content of What are the php escape functions?. For more information, please follow other related articles on the PHP Chinese website!