PHP implements the function of verifying and Processing Form submission data [preventing SQL injection and XSS attacks, etc.] And sqlxss
This example describes how PHP can verify and process data submitted by forms. We will share this with you for your reference. The details are as follows:
XSS attack protection code:
/*** Security filter function ** @ param $ string * @ return string */function safe_replace ($ string) {$ string = str_replace ('% 20 ','', $ string); $ string = str_replace ('% 27', '', $ string); $ string = str_replace (' % 100','', $ string ); $ string = str_replace ('*', '', $ string); $ string = str_replace ('"', '"', $ string ); $ string = str_replace ("'", '', $ string); $ string = str_replace ('" ', '', $ string); $ string = str_replace ('; ', '', $ string); $ string = str_replace (' <',' <', $ string); $ string = str_replace ('> ','> ', $ string); $ string = str_replace ("{", '', $ string); $ string = str_replace ('}','', $ string ); $ string = str_replace ('\', '', $ string); return $ string ;}
Code example:
<? Php $ user_name = strim ($ _ REQUEST ['user _ name']); function strim ($ str) {// trim () function removes spaces or other predefined characters on both sides of a string. // The htmlspecialchars () function converts predefined characters into HTML entities (xss AttacK Defense ). // The predefined characters are: // & (and number) to become & // "(double quotation marks) to" // "(single quotation marks) to become '// <(less) become <//> (greater than) become> return quotes (htmlspecialchars (trim ($ str);} // anti-SQL Injection function quotes ($ content) {// if $ content is an array if (is_array ($ content) {foreach ($ content as $ key => $ value) {// $ content [$ key] = mysql_real_escape_string ($ value);/* The addslashes () function returns a string that adds a backslash before a predefined character. Predefined characters: single quotes (') double quotation marks (") backslash (\) NULL */$ content [$ key] = addslashes ($ value );}} else {// if $ content is not an array // $ content = mysql_real_escape_string ($ content); $ content = addslashes ($ content);} return $ content ;}?>
// Filter SQL Injection function filter_injection (& $ request) {$ pattern = "/(select [\ s]) | (insert [\ s]) | (update [\ s]) | (delete [\ s]) | (from [\ s]) | (where [\ s])/I "; foreach ($ request as $ k =>$ v) {if (preg_match ($ pattern, $ k, $ match) {die ("SQL Injection denied! ");} If (is_array ($ v) {filter_injection ($ request [$ k]);} else {if (preg_match ($ pattern, $ v, $ match )) {die ("SQL Injection denied! ");}}}}
Anti-SQL injection:
mysql_real_escape_string()
Special characters in strings used in function escape SQL statements.
The following characters are affected:
\ X00
\ N
\ R
'
"
\ X1a
If yes, the function returns the escaped string. If it fails, false is returned.
Syntax
mysql_real_escape_string(string,connection)
Parameters |
Description |
String is required. |
Specifies the string to be escaped. |
Connection is optional. |
MySQL connection is required. If not specified, use the previous connection. |
For pure numeric or numeric string verification, you can use
is_numeric()
Checks whether the variable is a numeric or numeric string.
Instance:
<?php function get_numeric($val) { if (is_numeric($val)) { return $val + 0; } return 0; } ?>
Is_array-check whether the variable is an array
bool is_array ( mixed $var )
If var is array, TRUE is returned; otherwise, FALSE is returned.
Is_dir: determines whether the specified file name is a directory.
bool is_dir ( string $filename )
Determines whether the given file name is a directory.
If the file name exists and is a directory, TRUE is returned; otherwise, FALSE is returned.
Is_file-determine whether the given file name is a normal file
bool is_file ( string $filename )
Determine whether the given file name is a normal file.
If the file exists and is normal, TRUE is returned; otherwise, FALSE is returned.
Note:
Because the integer type of PHP is signed and many platforms use 32-bit integers, some file system functions may return unexpected results for files larger than 2 GB.
Is_bool-check whether the variable is Boolean
bool is_bool ( mixed $var )
Returns TRUE if var is boolean.
Is_string-check whether the variable is a string
bool is_string ( mixed $var )
If var is a string, TRUE is returned; otherwise, FALSE is returned.
Is_int-check whether the variable is an integer
bool is_int ( mixed $var )
If var is an integer, TRUE is returned; otherwise, FALSE is returned.
Note:
To test whether a variable is a numeric or numeric string (such as a form input, which is usually a string), you must use is_numeric ().
Is_float-check whether the variable is floating point type
bool is_float ( mixed $var )
If var is float, TRUE is returned; otherwise, FALSE is returned.
Note:
To test whether a variable is a numeric or numeric string (such as a form input, which is usually a string), you must use is_numeric ().
Is_null-check whether the variable is NULL
bool is_null ( mixed $var )
If var is null, TRUE is returned; otherwise, FALSE is returned.
Is_readable-determine whether the given file name is readable
bool is_readable ( string $filename )
Determines whether a given file name exists and is readable. If a file or directory specified by filename exists and is readable, TRUE is returned. Otherwise, FALSE is returned.
Is_writable-determine whether a given file name can be written
bool is_writable ( string $filename )
Returns TRUE if the file exists and is writable. The filename parameter can be a directory name that allows write check.
File_exists-check whether the file or directory exists
bool file_exists ( string $filename )
Check whether a file or directory exists.
In Windows, use // computername/share/filename or \ computername \ share \ filename to check shared files in the network.
If a file or directory specified by filename exists, TRUE is returned; otherwise, FALSE is returned.
Is_executable-determine whether a given file name can be executed
bool is_executable ( string $filename )
Determines whether a given file name is executable. If the file exists and is executable, TRUE is returned, and FALSE is returned when an error occurs.