addslashes () Anti-sql injection:
It is defined as follows:
addslashes () function returns a character string is added before the predefined backslash character.
Predefined characters are:
- apostrophe(')
- Double quotes(")
- The backslash (\)
- NULL
Tip: This function can be used to store strings in the database and the database query string ready.
Usage is as follows:
<?php $str = "Who's Peter Griffin?"; echo $str . " This is not safe in a database query.<br>"; echo addslashes($str) . " This is safe in a database query."; ?>
// 输出:
Who's Peter Griffin? This is not safe in a database query.
Who\'s Peter Griffin? This is safe in a database query.
htmlspecialchars () XSS filter question:
It is defined as follows:
htmlspecialchars () function to predefined characters into HTML entities.
Predefined characters are:
- & (Ampersand) becomes &
- "(Double quotation marks) to become"
- '(Single quote) becomes'
- <(Less than) becomes <
- > (Greater than) becomes>
Tip: For the special HTML entities back to character, use htmlspecialchars_decode () function.
Usage is as follows:
? < PHP $ str = "Bill & 'Steve'" ; echo htmlspecialchars ( $ str , ENT_COMPAT); // only convert double-quotes echo "<br>" ; echo htmlspecialchars ( $ str , ENT_QUOTES); // convert double quotes and single quotes echo "<br>" ; echo htmlspecialchars ( $ str , ENT_NOQUOTES); // not convert any quote >?
// output
Bill & 'Steve'
Bill & 'Steve'
Bill & 'Steve'
addslashes () and htmlspecialchars () the difference:
In addition to different escaping outside the two functions, their use is different.
addslashes (), the parameters passed in by the get, post and cookie in single and double quotation marks, \, and null escape before executing the sql statement for preventing sql statement by injection.
But the sql executed successfully inserted into the data in the database is not with the escape character \ of. If this is inserted into the database of some js script, when the script is read out it will still be executed.
This is what we can use the data read out htmlspecialchars () filter to avoid execution of the script being injected.
Reference article: