Invalid character filtering. Illegal character filtering this article mainly focuses on filtering illegal characters in php, but does not talk about asp functions for filtering illegal characters, but the idea is the same.) filtering of characters that affect the normal operation of MySQL. When you need
Invalid character filteringThis article focuses on
Php filters invalid charactersI didn't talk about asp functions for filtering invalid characters, but they all have the same idea.
) Filter the characters that affect the normal operation of MySQL.
When you need to import the user input content (which may contain single quotation marks, double quotation marks, backslash, and null NUL) into the mysql statement for execution, set magic_quotes_gpc in APACHE to On.
If this item in APACHE is set to Off, the php function addslashes () can be used for the same purpose. However, the two methods cannot be used at the same time. Otherwise, the replacement is repeated and an error occurs.
Example:
PHP code
If (get_magic_quotes_gpc ()){
$ Content = $ _ POST ["content"];
} Else {
$ Content = addslashes ($ _ POST ["content"]);
}
?>
Of course, if the magic_quotes_gpc item in APACHE is On but sometimes does not want to escape a special character, you can use stripslashes () to remove \
2) filter the characters that affect the normal operation of MSSQL.
When you need to import the user input content (which may contain single quotes) into the mssql statement for execution, set magic_quotes_sybase in APACHE to On. in this case, magic_quotes_gpc does not take effect.
If this option in APACHE is set to Off, php does not have a suitable function for the same purpose, you can only use the string replacement function for this purpose.
Example:
PHP code
$ Content = str_replace ("'", "'' "$ _ POST [" content "]);
?>
Currently, PHP on 10.218.17.53 needs to access both mysql and mssql. the configuration in APACHE does not take into account the two types of databases, so it only sets mysql.
2. measures should be taken to input SQL statements.
The following two SQL writing methods are common, but the security level is different. when the user submits the $ id = '1 and 1 = 2 union select... ', the first type will show the data that should not be displayed, and the second type will be relatively safer.
SQL code
Select * FROM article Where articleid = $ id
Select * FROM article Where articleid = '$ ID'
3. prevent normal page display from being affected by html tags or javascript.
You can use htmlspecialchars () to filter among them & "<>
PHP code
$ Content = htmlspecialchars ($ content );
4. when the content to be displayed on the page contains the line breaks, you can use nl2br () to achieve the effect of line breaks on the page.
Method 1.
Function chkstr ($ paravalue, $ paratype) // filter invalid characters
{
If ($ paratype = 1)
{
$ Inputstr = str_replace ("'", "'' ", $ paravalue );
}
Elseif ($ paratype = 2)
{
$ Inputstr = str_replace ("'", "", $ paravalue );
}
Return $ inputstr;
}
$ User1 = chkstr ($ _ GET ["user"], 1 );
$ User2 = chkstr ($ _ GET ["user"], 2 );
// $ User = $ _ GET ["user"];
Print "method 1 -----------------
";
Print "$ user1
";
Print "method 2 -----------------
";
Print "$ user2
";
?>
Method 2.
// Usage: qstr ($ str, get_magic_quotes_gpc ())
Function qstr ($ string, $ magic_quotes = false, $ tag = false)
{
$ Tag_str = '';
If ($ tag) $ tag_str = "'";
If (! $ Magic_quotes ){
If (strnatcmp (PHP_VERSION, '4. 3.0 ')> = 0 ){
Return $ tag_str.mysql_real_escape_string ($ string). $ tag_str;
}
$ String = str_replace ("'", "[url = file: // \] \' [/url]", str_replace ('\\', '\\\\', str_replace ("\ 0", "[url =] \\\ 0 [/url]", $ string )));
Return $ tag_str. $ string. $ tag_str;
}
Return $ tag_str.str_replace ('\ "', '"', $ string). $ tag_str;
}
?>
In this article, we mainly talk about the php function for filtering illegal characters, but the functions for filtering illegal characters in asp are all the same.) filter the characters that affect the normal running of MySQL. When you need...