PHP Anti-injection function code Summary

For security, we use the following function to filter some of the illegal characters passed over:

PHP Anti-injection function

The code is as follows

Copy Code

<?php Illegal characters to filter $ArrFiltrate =array ("'", ";", "union", "select", "delete", "'", "or", "and", "="); The URL to jump after an error is not filled in the default previous page $STRGOURL = ""; Whether the value in the array exists function Funstringexist ($StrFiltrate, $ArrFiltrate) { foreach ($ArrFiltrate as $key => $value) { if (eregi ($value, $StrFiltrate)) { return true; } } return false; } Merging $_post and $_get if (function_exists (Array_merge)) { $ArrPostAndGet =array_merge ($HTTP _post_vars, $HTTP _get_vars); }else{ foreach ($HTTP _post_vars as $key => $value) { $ArrPostAndGet []= $value; } foreach ($HTTP _get_vars as $key => $value) { $ArrPostAndGet []= $value; } } Verify Start foreach ($ArrPostAndGet as $key => $value) { if (Funstringexist ($value, $ArrFiltrate)) { if (empty ($STRGOURL)) { echo "<script language=" JavaScript ">history.go ( -1);</script>"; }else{ echo "<script language=" JavaScript ">window.location=" ". $StrGoUrl." "; </script> "; } Exit } }

Another example is similar to the above, this is DZ forum to use the method

code is as follows

copy code

$magic _QUOTES_GPC = GET_MAGIC_QUOTES_GPC (); @extract (Daddslashes ($_cookie)); @extract (Daddslashes ($_post)); @extract (Daddslashes ($_get)); if (! $magic _quotes_gpc) { $_files = daddslashes ($_files); } function daddslashes ($string, $force = 0) { if (! $GLOBALS [' MAGIC_QUOTES_GPC '] | | $force) { if ( Is_array ($string)) { foreach ($string as $key => $val) { $string [$key] = Daddslashes ($val, $force); } Else { $string = addslashes ($string); } } return $string; }

Finally send a strengthened version of the

The code is as follows

Copy Code

<?php $field = Explode (', ', $data); Array_walk ($field, Array ($this, ' Add_special_char ')); $data = Implode (', ', $field); /** * Add inverted quotes around the fields to keep the database secure * @param $value Array value */ Public Function Add_special_char (& $value) { if (' * ' = = $value | | False!== strpos ($value, ' (') | | false!== strpos ($value, '. ') | | false!== strpos ($value, ' ")) { Do not process include * or use SQL method. } else { $value = '. Trim ($value). ' `'; } return $value; } function Str_filter ($STR) { $str = Htmlspecialchars ($STR); if (! GET_MAGIC_QUOTES_GPC ()) { $str = Addslashes ($STR); } Filter Dangerous characters Return Preg_replace ("/[" =]|) ( and) | (OR) | (Create) | (update) | (ALTER) | (delete) | (insert) | (Load_file) | (outfile) | (count) | (%20) | (char)/I "," ", $str); } /* Function name: Str_check () Function: Filter the submitted string Parameters: $var: strings to be processed Return value: Returns the filtered string */ function Str_check ($STR) { if (! GET_MAGIC_QUOTES_GPC ()) {//Determine if MAGIC_QUOTES_GPC is open $str = Addslashes ($STR); To filter } $str = Str_replace ("_", "_", $str); To filter out the ' _ ' $str = str_replace ("%", "%", $str); To filter out '% ' return $str; } /* Function Name: Post_check () Function: Handling committed edits parameter: $post: Content to submit return value: $post: Return filtered content */ Function pos T_check ($post) {  if (! GET_MAGIC_QUOTES_GPC ()) {//Determine if MAGIC_QUOTES_GPC is open    $post = addslashes ($post); Filter the submitted data without opening the MAGIC_QUOTES_GPC     $post = Str_replace ("_", "_", $post);//Filter ' _ ' Out   $post = str_replace ("%", "%", $post); Filter '% ' out of the   $post = NL2BR ($post);//Return conversion   $post = Htmlspecialchars ($post);//HTML markup Conversion &NBSP ; return $post; } /* Function Name: Inject_check () Function: Detect whether the submitted value contains SQL injected characters, prevent injection, protect server security parameter: $sql _STR: Committed variable return value: Return test result , ture or False */ Function Inject_check ($sql _str) {  return eregi (' Select|insert|and|or|update|delete |'| /*|*|.. /|. /|union|into|load_file|outfile ', $sql _str);    //filter } /* Function name: verify_id () Function: Verify that the submitted ID class value is legitimate Parameters: $id: Submitted ID values Return value: Returns the processed ID */ function verify_id ($id =null) { if (! $id) {exit (' No submit parameters! '); }//IS NULL judgment ElseIf (Inject_check ($id)) {exit (' submitted parameter illegal! '); }//Injection judgment ElseIf (!is_numeric ($id)) {exit (' submitted parameter illegal! '); }//Digital judgment $id = Intval ($id); Integral type return $id; } $rptype = 0 means to replace only HTML tags $rptype = 1 means to replace HTML tags to remove consecutive white space characters at the same time $rptype = 2 means replacing HTML tags and removing all white-space characters at the same time $rptype =-1 means to replace only HTML dangerous tags function Htmlreplace ($str, $rptype = 0) { $str = Stripslashes ($STR); if ($rptype = = 0) { $str = Htmlspecialchars ($STR); else if ($rptype = = 1) { $str = Htmlspecialchars ($STR); $str = Str_replace ("", ", $str); $str = Ereg_replace ("[Rnt]{1,}", "", $str); else if ($rptype = = 2) { $str = Htmlspecialchars ($STR); $str = Str_replace ("", ", $str); $str = Ereg_replace ("[Rnt]", "", $str); } else { $str = Ereg_replace ("[Rnt]{1,}", "", $str); $str = eregi_replace (' script ', ' script ', $str); $str = Eregi_replace ("<[/]{0,1}" (Link|meta|ifr|fra) [^>]*> ",", $str); } Return addslashes ($STR); } Recursive ddslashes function Daddslashes ($string, $force = 0, $strip = FALSE) { if (! GET_MAGIC_QUOTES_GPC () | | $force) { if (Is_array ($string)) { foreach ($string as $key => $val) { $string [$key] = Daddslashes ($val, $force); } } else { $string = Addslashes ($strip stripslashes ($string): $string); } } return $string; } Recursive stripslashes function Dstripslashes ($string) { if (Is_array ($string)) { foreach ($string as $key => $val) { $string [$key] = $this->dstripslashes ($val); } } else { $string = Stripslashes ($string); } return $string; } /** * Safe Filter function * @param $string the string to be filtered * @return String returns the processed string */ function Safe_replace ($string) { $string = Str_replace ('%20 ', ', ', $string); $string = Str_replace ('%27 ', ', ', $string); $string = Str_replace ('%2527 ', ', ', $string); $string = Str_replace (' * ', ', ', $string); $string = Str_replace (' "', ' &quot; ', $string); $string = Str_replace ("'", ", $string); $string = Str_replace (' ",", $string); $string = Str_replace ('; ', ', ', $string); $string = Str_replace (' < ', ' &lt; ', $string); $string = Str_replace (' > ', ' &gt; ', $string); $string = Str_replace ("{", "", $string); $string = Str_replace ('} ', ', $string); return $string; } /** * Use Htmlspecialchars to process strings or arrays * @param $obj A string or array to be processed * @return Mixed returns the string or array processed by Htmlspecialchars */ function New_htmlspecialchars ($string) { if (!is_array ($string)) Return Htmlspecialchars ($string); foreach ($string as $key => $val) $string [$key] = New_htmlspecialchars ($val); return $string; } Handling content that disables HTML but allows line wrapping function Trimmsg ($msg) { $msg = Trim (stripslashes ($msg)); $msg = NL2BR (Htmlspecialchars ($msg)); $msg = Str_replace ("", "&nbsp;&nbsp;", $msg); Return addslashes ($msg); }