php mysql escape functions include: 1. addslashes function; 2. htmlspecialchars function; 3. htmlentities function; 4. mysql_real_escape_string function, etc.
The operating environment of this article: Windows7 system, PHP7.1 version, Dell G3 computer
php mysql escape function What are they?
php mysql escape function
When developing the sql query gadget, I encountered the POST when submitting the sql statement to query data in the background. When the terminal receives a sql statement with < or >, a syntax error is reported.
But there is no problem if I print out the submitted statement. Think about it, it must be an encoding or escaping problem.
$sqlQuery = html_entity_decode($_POST["content"]); $sqlQuery = stripslashes($sqlQuery);[object Object]
The following mainly introduces the commonly used escape functions and security functions in PHP. Using these functions can filter most common attack methods, such as SQL injection. Friends in need can refer to it
1. addslashes addslashes escapes special characters in SQL statements, including ('), ("), (), (NUL). This function is used when the DBMS does not have its own escape function, but If the DBMS has its own escape function, it is recommended to use the original function. For example, MySQL has the mysql_real_escape_string function to escape SQL. Note that before PHP5.3, magic_quotes_gpc was enabled by default, mainly in $GET, $POST, $ The addslashes operation is performed on COOKIE, so there is no need to call addslashes repeatedly on these variables, otherwise it will double escaping. However, magic_quotes_gpc has been abandoned in PHP5.3 and has been removed since PHP5.4. If you use the latest PHP You don’t have to worry about this problem. Stripslashes is the unescape function of addslashes.
2. htmlspecialchars htmlspecialchars escapes several special characters in HTML into HTML Entity (format: &xxxx;) form, including (&), ('), ("), () five characters.
& (AND) => & ” (双引号) => " (当ENT_NOQUOTES没有设置的时候) ‘ (单引号) => ' (当ENT_QUOTES设置) < (小于号) => < > (大于号) => >
htmlspecialchars can be used to filter $GET, $POST, $COOKIE data to prevent XSS. Note that the htmlspecialchars function only escapes HTML characters that are considered to have security risks. If you want to escape all characters that can be escaped in HTML, please use htmlentities. htmlspecialchars_decode is the decode function of htmlspecialchars.
3. htmlentities
htmlentities escapes the escapable content in HTML into HTML Entities. html_entity_decode is the decode function of htmlentities.
4. mysql_real_escape_string
mysql_real_escape_string will call the MySQL library function mysql_real_escape_string, for (\x00), (\n), (\r), (), ('), (\x1a ) to escape, that is, add a backslash () in front to prevent SQL injection. Note that you do not need to call stripslashes to unescape when reading the database data, because these backslashes are added when the database executes SQL, and the backslashes will be removed when the data is written to the database, so The content written to the database is the original data, and there will be no backslashes in front.
5. strip_tagsstrip_tags will filter out NUL, HTML and PHP tags.
6.stripslashes()
The function removes the backslashes added by the addslashes() function.
7. Conclusion PHP’s built-in security function cannot completely avoid XSS. It is recommended to use HTML Purifier
Recommended learning: "PHP Video Tutorial"
The above is the detailed content of What are the php mysql escape functions?. For more information, please follow other related articles on the PHP Chinese website!