Pages - পৃষ্ঠাসমূহ

Php string functions : secure your data in php

In this post we will describe some important functions in php. To secure data in php this functions are very important so that no data loses or anything extra added. Functions are get_magic_quotes_gpc(), addslashes(), addcslashes(), stripslashes(), stripcslashes(), explode(), implode(), trim(), mysql_real_escape_string() to secure data in php

Hide Example Show Example

Functions are :

get_magic_quotes_gpc
addslashes()
addcslashes
stripslashes
stripcslashes
explode
implode
trim
mysql_real_escape_string


get_magic_quotes_gpc(): Gets the current configuration setting of magic quotes gpc. Returns 0 if magic quotes gpc are off, 1 otherwise.
addcslashes() : add a backslaches for specified character which are defined by this functions
addslashes() : This function add a backward slash when tits found single quote('),double quote(""),backslashes(\) and null.
stripslashes(): The stripslashes() function removes backslashes added by the addslashes() function
stripcslashes(): The stripcslashes() function removes backslashes added by the addcslashes() function
explode(): The explode() function breaks a string into an array.
implode(): The implode() function returns a string from the elements of an array.
mysql_real_escape_string():
trim(): The trim() function removes whitespaces and other predefined characters from both sides of a string.
htmlspecialchars(): The htmlspecialchars() function converts some predefined characters( & (ampersand) becomes &, " (double quote) becomes &quot;, ' (single quote) becomes &#039;, < (less than) becomes <, > (greater than) becomes >) to HTML entities.
htmlentities(): The htmlentities() function converts characters to HTML entities.
mysql_real_escape_string(): The mysql_real_escape_string() function escapes special characters in a string for use in an SQL statement


get_magic_quotes_gpc()

If get_magic_quotes_gpc() is turned off, the string must be needed to remove special chars or backslashes. If get_magic_quotes_gpc() is turned on, the string automatically escaped the special chars or backslashes. How to see that get_magic_quotes_gpc is on or off, check this code
 <?php
  if(get_magic_quotes_gpc())
   echo "Magic quotes are enabled";
  else
   echo "Magic quotes are disabled";
 ?>
 
If output returns 0 it is off, if output shows 1 this function is on. check this exmaple
 //if get_magic_quotes_gpc() is on 
 Sandy said, \"It\'s a beautiful day outside and I like to use \\\'s.\" 
 output : Sandy said, "It's a beautiful day outside and I like to use \'s." 

 //if get_magic_quotes_gpc() is off
 Sandy said, \"It\'s a beautiful day outside and I like to use \\\'s.\" 
 output : Sandy said, \"It\'s a beautiful day outside and I like to use \\\'s.\" 
 
If get_magic_quotes_gpc() is turned off, tou can manually remove the special chareacters.
 <?php
 $str="Sandy said, \"It\'s a beautiful day outside and I like to use \\\'s.\"";
 // Remove those slashes
 if(get_magic_quotes_gpc())
  echo stripslashes($str);
 else
  echo $_POST['question'];
  
 ?>

 output : Sandy said, "It's a beautiful day outside and I like to use \'s." 
 
If anybody want to change the setting off
 magic_quotes_gpc = Off
 /*change it to*/ 
 magic_quotes_gpc = on
 

addcslashes()

The addcslashes() function returns a string with backslashes in front of the specified characters.
//syntax
addcslashes(string,characters)
string : Required. Specifies the string to check characters : Required. Specifies the characters or range of characters to be affected by addcslashes()
<?php
 $str = "Bangladesh is a wonderful country.";
 echo $str."\n";
 echo addcslashes($str,'d')."\n";
 echo addcslashes($str,'a')."\n";
?> 

//output :
//Bangladesh is a wonderful country.
//Bangla\desh is a won\derful country.
//B\angl\adesh is \a wonderful country.
Be careful using addcslashes() on 0, r, n and t. In PHP, \0, \r, \n and \t are predefined escape sequences.

addslashes()

The addslashes() function returns a string with backslashes in front of predefined characters.
The predefined characters are: single quote ('), double quote ("), backslash (\), NULL
 //syntax
  addslashes(string) 
 
Sstring is the varibale which are chek.
<?php  
 $str = "Jamal's has many toys";
 echo addslashes($str);
?>

//output:
//jamal\'s has many toys.
When using POST, GET and COOKIE data, it need to escaped characters. If it has already escaped, you can check this by get_magic_quotes_gpc();

stripcslashes()

The stripslashes() function removes backslashes added by the addslashes() function.
 //syntax
  stripslashes(string) 
 
String is the varibale which are chek.
<?php  
 $str = "B\angl\adesh is \a wonderful country.";
 echo stripcslashes($str);
?>

//output:
//Bangladesh is a wonderful country.

stripslashes()

The stripslashes() function removes backslashes added by the addslashes() function.
 //syntax
  stripslahes(string) 
 
String is the varibale which are chek.
<?php  
 $str = "Jamal\'s has many toys";
 echo stripslashes($str);
?>

//output:
//jamal's has many toys.

explode()

The explode() function breaks a string into an array.
 //syntax
  explode(separator,string,limit) 
 
Here string are the required parameters which are check. Another seperator parameter denote where the break.
The limit is an optional parameter which returns the number of content in arrays declared.
<?php
 $str = "Hello world. It's a beautiful day.";
 print_r (explode(" ",$str));
?> 
Its output is an array. and this array contains all single words.
Hello
world.
it's
a
beautiful
day

implode()

The implode() function returns a string from the elements of an array.
 //syntax
  implode(separator,array) 
 
seperator parameter is optional which seperate the array. The array parameter, which arrays contents are join.
<?php
$arr = array('Hello','World!','Beautiful','Day!');
echo implode(" ",$arr);
?> 

//Output
//Hello World! Beautiful Day! 

trim()

The trim() function removes whitespaces and other predefined characters from both sides of a string.
 //Syntax
 trim(string,charlist)   
 
string parameter, which is checked
The charlist denotes the which chars are trimed. The char list are ("\0" - NULL, "\t" - tab, "\n" - new line, "\x0B" - vertical tab, "\r" - carriage return," " - ordinary white space)


<?php
 $str = " Hello        World! ";
 echo "Without trim: " . $str;
 echo "
"; echo "With trim: " . trim($str); ?> //output: //Without trim: Hello World! //With trim : Hello World!

mysql_real_escape_string()

Escapes special characters in a string for use in an SQL statement
 //syntax
  mysql_real_escape_string(string,connection) 
 
String parameter which is checked and the connection parameter is the database connection. Connection parameter is optional. mysql_real_escape_string() calls MySQL's library function mysql_real_escape_string, which prepends backslashes to the following characters: \x00, \n, \r, \, ', " and \x1a.This function must always (with few exceptions) be used to make data safe before sending a query to MySQL.
<?php
$con = mysql_connect("localhost", "username", "password");
if (!$con){
  die('Could not connect: ' . mysql_error());
  }

$user=$_POST['user'];
$user=$_POST['pass'];

// escape username and password for use in SQL
$user = mysql_real_escape_string($user);
$pwd = mysql_real_escape_string($pwd);

$sql = "SELECT * FROM users WHERE
user='" . $user . "' AND password='" . $pwd . "'"

// more code

mysql_close($con);
?>
This all functions are used to secure php data.

No comments:

Post a Comment