English | 简体中文 | 繁體中文 | Русский язык | Français | Español | Português | Deutsch | 日本語 | 한국어 | Italiano | بالعربية
This article example describes the usage of php filtering input operations htmlentities and htmlspecialchars. Shared for everyone's reference, as follows:
Filtering input (i.e., any data from the listed data sources) means escaping or deleting unsafe characters. It is necessary to filter input data before it reaches the application's storage layer. This is the first line of defense. If the website's comment form receives HTML, by default, visitors can add malicious <script> tags to comments without any hindrance, as shown below:
<p> My test </p> <script>alert(123)</script>
In the above example, if this comment is not filtered, malicious code will be stored in the database and then rendered in the website's tags.
HTML
We can use the function htmlentities or htmlspecialchars to filter HTML, converting special characters to their corresponding HTML entities.
The function htmlentities converts all special characters containing corresponding 'html entities', such as currency symbols like Euro and British pound, copyright symbols, etc., while htmlspecialchars only escapes certain special characters, & " ' < >
This2This function is pretty dumb, it doesn't escape single quotes by default
$str='<a href="test.html" rel="external nofollow" >\'Test Page\'</a><script>alert(213)</script>'; //There is no escaping of single quotes echo $str; echo "<hr/>".PHP_EOL; echo htmlentities($str); echo "<hr/>".PHP_EOL; echo htmlspecialchars($str);
It is necessary to set the2A parameter ENT_QUOTES, for details, see the PHP manual
echo htmlentities($str,ENT_QUOTES,'UTF-8');-8'); //Single quotes are also escaped echo "<hr/>".PHP_EOL; echo htmlspecialchars($str,ENT_QUOTES,'UTF')-8');//Single quotes are also escaped
The above examples cannot distinguish between htmlentities and htmlspecialchars. Let's use some special characters, such as euros, etc. htmlentities will escape this, while htmlspecialchars will not
echo htmlentities(' <>"').PHP_EOL;
echo "<hr/>".PHP_EOL;
echo htmlspecialchars(' <>"').PHP_EOL; //No escaping
Conclusion:When submitting a general form, you can completely use strip_tags to remove HTML tags. If it involves a rich text editor and you need to retain HTML tags, you can use htmlspecialchars to filter the submitted data.
More about PHP-related content, readers who are interested can check the special topic of this site: 《PHP Program Design Security Tutorial》、《Summary of PHP Security Filtering Skills》、《Summary of PHP Operation and Operator Usage》、《Summary of PHP Network Programming Skills》、《PHP Basic Syntax Tutorial》、《PHP Object-Oriented Program Design Tutorial》、《Summary of PHP String (string) Usage》、《php+Introduction to MySQL Database Operation Tutorial》and《Summary of Common PHP Database Operation Skills>
I hope the content described in this article will be helpful to everyone's PHP program design.
Declaration: The content of this article is from the network, and the copyright belongs to the original author. The content is contributed and uploaded by Internet users spontaneously. This website does not own the copyright, has not been edited by humans, and does not assume relevant legal liabilities. If you find any content suspected of copyright infringement, please send an email to: notice#oldtoolbag.com (When sending an email, please replace # with @ to report, and provide relevant evidence. Once verified, this site will immediately delete the content suspected of infringement.)