PHP implements the function of verifying and Processing Form submission data [preventing SQL injection and XSS attacks, etc.] And sqlxss

PHP implements the function of verifying and Processing Form submission data [preventing SQL injection and XSS attacks, etc.] And sqlxss

This example describes how PHP can verify and process data submitted by forms. We will share this with you for your reference. The details are as follows:

XSS attack protection code:

/*** Security filter function ** @ param $ string * @ return string */function safe_replace ($ string) {$ string = str_replace ('% 20 ','', $ string); $ string = str_replace ('% 27', '', $ string); $ string = str_replace (' % 100','', $ string ); $ string = str_replace ('*', '', $ string); $ string = str_replace ('"', '"', $ string ); $ string = str_replace ("'", '', $ string); $ string = str_replace ('" ', '', $ string); $ string = str_replace ('; ', '', $ string); $ string = str_replace (' <',' <', $ string); $ string = str_replace ('> ','> ', $ string); $ string = str_replace ("{", '', $ string); $ string = str_replace ('}','', $ string ); $ string = str_replace ('\', '', $ string); return $ string ;}

Code example:

<? Php $ user_name = strim ($ _ REQUEST ['user _ name']); function strim ($ str) {// trim () function removes spaces or other predefined characters on both sides of a string. // The htmlspecialchars () function converts predefined characters into HTML entities (xss AttacK Defense ). // The predefined characters are: // & (and number) to become & // "(double quotation marks) to" // "(single quotation marks) to become '// <(less) become <//> (greater than) become> return quotes (htmlspecialchars (trim ($ str);} // anti-SQL Injection function quotes ($ content) {// if $ content is an array if (is_array ($ content) {foreach ($ content as $ key => $ value) {// $ content [$ key] = mysql_real_escape_string ($ value);/* The addslashes () function returns a string that adds a backslash before a predefined character. Predefined characters: single quotes (') double quotation marks (") backslash (\) NULL */$ content [$ key] = addslashes ($ value );}} else {// if $ content is not an array // $ content = mysql_real_escape_string ($ content); $ content = addslashes ($ content);} return $ content ;}?>

// Filter SQL Injection function filter_injection (& $ request) {$ pattern = "/(select [\ s]) | (insert [\ s]) | (update [\ s]) | (delete [\ s]) | (from [\ s]) | (where [\ s])/I "; foreach ($ request as $ k =>$ v) {if (preg_match ($ pattern, $ k, $ match) {die ("SQL Injection denied! ");} If (is_array ($ v) {filter_injection ($ request [$ k]);} else {if (preg_match ($ pattern, $ v, $ match )) {die ("SQL Injection denied! ");}}}}

Anti-SQL injection:

mysql_real_escape_string()Special characters in strings used in function escape SQL statements.

The following characters are affected:

\ X00
\ N
\ R
'
"
\ X1a

If yes, the function returns the escaped string. If it fails, false is returned.

Syntax

mysql_real_escape_string(string,connection)

Parameters	Description
String is required.	Specifies the string to be escaped.
Connection is optional.	MySQL connection is required. If not specified, use the previous connection.

For pure numeric or numeric string verification, you can use

is_numeric()Checks whether the variable is a numeric or numeric string.

Instance:

<?php function get_numeric($val) {  if (is_numeric($val)) {  return $val + 0;  }  return 0; } ?>

Is_array-check whether the variable is an array
bool is_array ( mixed $var )
If var is array, TRUE is returned; otherwise, FALSE is returned.

Is_dir: determines whether the specified file name is a directory.
bool is_dir ( string $filename )
Determines whether the given file name is a directory.
If the file name exists and is a directory, TRUE is returned; otherwise, FALSE is returned.

Is_file-determine whether the given file name is a normal file
bool is_file ( string $filename )
Determine whether the given file name is a normal file.
If the file exists and is normal, TRUE is returned; otherwise, FALSE is returned.
Note:
Because the integer type of PHP is signed and many platforms use 32-bit integers, some file system functions may return unexpected results for files larger than 2 GB.

Is_bool-check whether the variable is Boolean
bool is_bool ( mixed $var )
Returns TRUE if var is boolean.

Is_string-check whether the variable is a string
bool is_string ( mixed $var )
If var is a string, TRUE is returned; otherwise, FALSE is returned.

Is_int-check whether the variable is an integer
bool is_int ( mixed $var )
If var is an integer, TRUE is returned; otherwise, FALSE is returned.
Note:
To test whether a variable is a numeric or numeric string (such as a form input, which is usually a string), you must use is_numeric ().

Is_float-check whether the variable is floating point type
bool is_float ( mixed $var )
If var is float, TRUE is returned; otherwise, FALSE is returned.
Note:
To test whether a variable is a numeric or numeric string (such as a form input, which is usually a string), you must use is_numeric ().

Is_null-check whether the variable is NULL
bool is_null ( mixed $var )
If var is null, TRUE is returned; otherwise, FALSE is returned.

Is_readable-determine whether the given file name is readable
bool is_readable ( string $filename )
Determines whether a given file name exists and is readable. If a file or directory specified by filename exists and is readable, TRUE is returned. Otherwise, FALSE is returned.

Is_writable-determine whether a given file name can be written
bool is_writable ( string $filename )
Returns TRUE if the file exists and is writable. The filename parameter can be a directory name that allows write check.

File_exists-check whether the file or directory exists
bool file_exists ( string $filename )
Check whether a file or directory exists.
In Windows, use // computername/share/filename or \ computername \ share \ filename to check shared files in the network.
If a file or directory specified by filename exists, TRUE is returned; otherwise, FALSE is returned.

Is_executable-determine whether a given file name can be executed
bool is_executable ( string $filename )
Determines whether a given file name is executable. If the file exists and is executable, TRUE is returned, and FALSE is returned when an error occurs.