Shulou(Shulou.com)06/03 Report--

This article shows you what are the functions related to PHP security, which are concise and easy to understand, which will definitely brighten your eyes. I hope you can get something through the detailed introduction of this article.

There are many convenient functions in PHP that can help you avoid attacks like SQL injection and XSS. Now let's take a look at these functions that can add security to your project. However, please note that this is just a list of some commonly used functions, they may not be comprehensive, but I believe they are very helpful to your project.

Security has always been an area of great concern in programming languages. In any mature programming language, there are appropriate ways to ensure the security of the program. In modern WEB development, we often need to deal with user input. There is a programming motto: never trust the security of user input. So, today we will introduce some of the most common ways to provide security for your code in PHP.

In PHP, some useful open source functions are very convenient to protect your website from various attacks, such as SQL injection attacks, XSS (Cross Site Scripting: cross-site scripting) attacks, and so on. Let's take a look at the security functions commonly used in PHP (note that this is not a complete list).

Functions related to PHP security

Mysql_real_escape_string (string sqlQuery)  :

Escapes special characters in the string used in the SQL statement, taking into account the current character set of the connection. A very useful function that can effectively avoid SQL injection.

The following characters are converted:

, "

Using this function to handle the sql query to be executed before executing the sql statement will kill some dangers in the cradle.

But now generally in more mature projects, it is generally recommended to use a database persistence layer such as PDO to handle all database operations. They represent more advanced database operation processing technology, which is much more powerful than the old mysql_* api in terms of security and data read and write speed.

Addslashes ():

This function is useful when inserting some data into a database by putting a backslash before a single quote so that the data is inserted without errors. But its use has something to do with a setting in php.ini-magic_quotes_gpc

1. In the case of PHP magic_quotes_gpc=on, we can not do addslashes () and stripslashes () operations on the input and output database string data, and the data will be displayed normally.

If you addslashes () the input data at this time, you must use stripslashes () to remove the extra backslashes when exporting.

two。 In the case of PHP magic_quotes_gpc=off

You must use addslashes () to process the input data, but you don't need to use stripslashes () to format the output, because addslashes () does not write the backslash to the database together, but only helps mysql complete the execution of the sql statement.

[stripslashes (): removes the backslash added by the addslashes () function. ]

Htmlentities ():

A very useful function for processing output. It is used to convert some characters that may lead to XXS attacks into html entities, which are normal when displayed by the browser, but when you look at its source code, these special characters must not be what they appear to be, such as

Output:

John & 'Adams'

Source code:

John & 'Adams'

Output:

Source code:

Gt

Coding these symbols effectively avoids XSS attacks.

Htmlspecialchars ():

The above function is the same, but it is more commonly used because htmlentities () converts all characters defined in the html standard into their corresponding html entities, which makes your output lack readability (html entity list http://www.w3school.com.cn/tags/html_ref_entities.html). So, using htmlspecialchars () just converts some predefined characters (that is, the ones that cause problems) into html entities. For example:

& (and sign) becomes &

"(double quotation marks) become"

'(single quotation marks) become'

(greater than) become >

So, in some projects, I often use htmlspecialchars () to handle the output of html. He is more specific in terms of security.

Strip_tags (): generally used in output, stripping the tags of HTML, XML, and PHP.

Function prototype: strip_tags (string,allow)

String represents the input string, and allow represents tags that are not deleted. You can customize the tags that need to be filtered through allow.

Md5 ():

A function that converts a string to a 32-bit hash (cannot be decrypted in reverse), through which any string can get a unique 32-bit string. However, now when using this function, we need to note that there are some databases that record a large number of md5 values, and crack your password by means of violent enumeration, so when using it, you can first add a layer of secret to your original string, and then use md5 () hash, which will get better results.

Sha1 ():

Similar to md5 () and a function, but it uses a different algorithm to generate a 40-character string. You can consider using the

Intval ():

Maybe you don't think this function is a security function. But it can protect your code well in some cases. Some data collected from users, such as ID,password,username processing, may be able to eliminate some security risks, after all, this is the worst-hit area.

What are the functions related to PHP security? have you learned any knowledge or skills? If you want to learn more skills or enrich your knowledge reserve, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.