PHP string escaping related functions

Summary of functions related to PHP character escaping. Sometimes for safety reasons, we need to escape the string entered by the user.

There are incorrect or unclear things in the article. Please point it out. ~~~

The configurations and functions related to PHP string escaping are as follows:
1.magic_quotes_runtime
2.magic_quotes_gpc
3.addslashes() and stripslashes()
4.mysql_escape_string()
5.addcslashes() and stripcslashes()
6.htmlentities() and html_entity_decode()
7.htmlspecialchars() and htmlspecialchars_decode()

When magic_quotes_runtime is turned on, most functions of PHP automatically add backslashes to overflow characters in data imported from outside (including databases or files).
You can use set_magic_quotes_runtime() and get_magic_quotes_runtime()‍ to set and detect its status.
Note: These two functions have been deprecated in PHP 5.3.0 or above, which means that this option is turned off in PHP 5.3.0 or above.
‍
magic_quotes_gpc sets whether to automatically escape certain characters in the data transmitted by GPC (GET, POST, COOKIE).
You can use get_magic_quotes_gpc() to detect its setting. .
If this setting is not turned on, you can use the addslashes() function to add to the string to escape

addslashes()‍ Add a backslash before the specified predefined character.
Predefined characters include single quotation mark ('), double quotation mark ("), backslash (\) and NUL (NULL character).
The above is the explanation given by W3SCHOOL.COM.CN that I always intuitively understand Not very accurate
Because it converts single quotes (') into double quotes (") when magic_quotes_sybase=on and converts single quotes (') into (\') when magic_quotes_sybase=off
stripslashes() The function of the function is exactly the opposite of addslashes()‍. Its function is to remove the escaping effect.

mysql_escape_string() Escapes special characters in strings used in SQL statements. ‍
The special ones here include (\x00), ( \n), ( \r ), (\), ( '), ("), ( \x1a)

addcslashes()‍ The C language style uses backslash to escape characters in a string. This function is rarely used by people, but it should be noted that when choosing to convert characters 0, a, b, f, n, r, t and v When defined, they will be converted to \0, \a, \b, \f, \n, \r, \t and \v. In PHP, only \0 (NULL), \r (carriage return). , \n (newline character) and \t (tab character) are predefined escape sequences, and in C language, all the above converted characters are predefined escape sequences. The same is true for stripcslashes(). The function is to remove its escape.

htmlentities() Convert characters into HTML entities. (What are HTML entities? Google it yourself~~)
Please see here for the inverse function html_entity_decode. () -‍Convert HTML entities to characters. The

htmlspecialchars() function converts some predefined characters into HTML entities.
These predefined characters are:
& (ampersands). become &
" (double quote) become "
' (single quote) become '
6398e299e30d3c5be4a52392b299b777 (greater than) become >
‍Detailed parameters Please see here. The inverse function is htmlspecialchars_decode() to convert some predefined HTML entities into characters.

My own experience:
>>Multiple single quote escapes may cause database problems. Security issues
>> It is not recommended to use mysql_escape_string for escaping. It is recommended to escape when obtaining user input
>> Since set_magic_quotes_runtime()‍ has been abandoned in PHP5.3.0 and later versions , so it is recommended to turn off the unified configuration in previous versions:
The code is as follows:

if(phpversion() < '5.3.0') { 
set_magic_quotes_runtime(0); 
}

‍>> Magic_quotes_gpc cannot be defined through a function, so it is recommended to unify it on the server Enable, you should make a judgment when writing a program to avoid security issues caused by not opening GPC
When escaping GPC through addslashes, you should pay attention to filtering key values ​​and values ​​when the user submits array data

code show as below:

if(!get_magic_quotes_gpc()) { 
$_GET = daddslashes($_GET); 
$_POST = daddslashes($_POST); 
$_COOKIE = daddslashes($_COOKIE); 
$_FILES = daddslashes($_FILES); 
} 
function daddslashes($string, $force = 1) { 
if(is_array($string)) { 
foreach($string as $key => $val) { 
unset($string[$key]); 
$string[addslashes($key)] = daddslashes($val, $force); 
} 
} else { 
$string = addslashes($string); 
} 
return $string; 
}

‍>> 利用在用户输入或输出时候转义HTML实体以防止XSS漏洞的产生！

今天碰到一个处理文件特殊字符的事情，再次注意到这个问题，在php中：

* 以单引号为定界符的php字符串，支持两个转义\'和\\
* 以双引号为定界符的php字符串，支持下列转义：
    \n 换行（LF 或 ASCII 字符 0x0A（10）） 
    \r 回车（CR 或 ASCII 字符 0x0D（13）） 
    \t 水平制表符（HT 或 ASCII 字符 0x09（9）） 
    \\ 反斜线 
    \$ 美元符号 
    \" 双引号 
    \[0-7]{1,3}               此正则表达式序列匹配一个用八进制符号表示的字符  
    \x[0-9A-Fa-f]{1,2}  此正则表达式序列匹配一个用十六进制符号表示的字符  

举几个例子:

一个包含\0特殊字符的例子：

$str = "ffff\0ffff"; 
echo(strlen($str)); 
echo("\n"); 
for($i=0;$i
输出结果： 
---------------------- 

9 
        102     102     102     102     0       102     102     102     102 

替换特殊字符的例子 
$str = "ffff\0ffff"; 
$str = str_replace("\x0", "", $str);   
//或者用$str = str_replace("\0", "", $str);  
//或者用$str = str_replace(chr(0), "", $str);  
echo(strlen($str)); 
echo("\n"); 
for($i=0;$i
---------------------- 
8 
        102     102     102     102     102     102     102     102 

八进制ascii码例子： 
//注意，符合正则\[0-7]{1,3}的字符串，表示一个八进制的ascii码。 
$str = "\0\01\02\3\7\10\011\08\8";  //这里的\8不符合要求，被修正为"\\8" （ascii为92和56） 
echo(strlen($str)); 
echo("\n"); 
for($i=0;$i
输出结果： 
---------------------- 
11 
        0       1       2       3       7       8       9       0       56      92      56 

十六进制ascii码例子： 
$str = "\x0\x1\x2\x3\x7\x8\x9\x10\x11\xff"; 
echo(strlen($str)); 
echo("\n"); 
for($i=0;$i
输出结果： 
---------------------- 
10 
        0       1       2       3       7       8       9       16      17      255 
The above is the detailed content of PHP string escaping related functions. For more information, please follow other related articles on the PHP Chinese website!