Php parameter filtering and data filtering _ PHP-php Tutorial

This article introduces php parameter filtering and php Data filtering, including the basic principles of php Data Submission Filtering and php simple data filtering, if you are interested, let's take a look at the following code to introduce php parameter filtering.

Class mysafe {public $ logname; public $ isshwomsg; function _ construct () {set_error_handler ('myerror', E_ALL); // -----} function MyError ($ errno, $ errstr, $ errfile, $ errline) {echo"Error number:[$ Errno], error on line $ errline in $ errfile
"; Exit;} function wlog ($ logs) {if (empty ($ logname) {$ this-> logname = $ _ SERVER [" DOCUMENT_ROOT "]. "/log.htm" ;}$ Ts = fopen ($ this-> logname, "a +"); fputs ($ Ts, $ logs. "\ r \ n"); fclose ($ Ts);} function showmsg ($ msg = '', $ flag = false) {$ this-> isshwomsg = empty ($ this-> isshwomsg )? False: true; if ($ this-> isshwomsg) {echo'
--------------------------------------
'; Echo $ msg; echo'
--------------------------------------
'; If ($ flag) exit ;}} function get_filter () {$ getfilter = "' | (and | or) \ B. +? (>|<|=| In | like) |\/\\ *. +? \ * \/| <\ S * script \ B | \ bEXEC \ B | UNION. +? SELECT | UPDATE. +? SET | INSERT \ s + INTO. +? VALUES | (SELECT | DELETE). +? FROM | (CREATE | ALTER | DROP | TRUNCATE) \ s + (TABLE | DATABASE) "; foreach ($ _ GET as $ key => $ value) {$ this-> StopAttack ($ key, $ value, $ getfilter) ;}} function post_filter () {$ postfilter = "\ B (and | or) \ B. {1, 6 }? (=|>|<|\\ Bin \ B |\\ blike \ B) |\\/ \\ *. +? \ * \/| <\ S * script \ B | \ bEXEC \ B | UNION. +? SELECT | UPDATE. +? SET | INSERT \ s + INTO. +? VALUES | (SELECT | DELETE). +? FROM | (CREATE | ALTER | DROP | TRUNCATE) \ s + (TABLE | DATABASE) "; foreach ($ _ POST as $ key => $ value) {$ this-> StopAttack ($ key, $ value, $ postfilter) ;}} function cookie_filter () {$ cookiefilter = "\ B (and | or) \ B. {1, 6 }? (=|>|<|\\ Bin \ B |\\ blike \ B) |\\/ \\ *. +? \ * \/| <\ S * script \ B | \ bEXEC \ B | UNION. +? SELECT | UPDATE. +? SET | INSERT \ s + INTO. +? VALUES | (SELECT | DELETE). +? FROM | (CREATE | ALTER | DROP | TRUNCATE) \ s + (TABLE | DATABASE) "; foreach ($ _ COOKIE as $ key => $ value) {$ this-> StopAttack ($ key, $ value, $ cookiefilter) ;}// filter parameter function StopAttack ($ StrFiltKey, $ StrFiltValue, $ ArrFiltReq) {if (is_array ($ StrFiltValue) {$ StrFiltValue = implode ($ StrFiltValue);} if (preg_match ("/". $ ArrFiltReq. "/is", $ StrFiltValue) = 1) {$ msg ="

Operation IP address: ". $ _ SERVER [" REMOTE_ADDR "]."
Operation Time: ". strftime (" % Y-% m-% d % H: % M: % S ")."
Operation page: ". $ _ SERVER [" PHP_SELF "]."
Submission method: ". $ _ SERVER [" REQUEST_METHOD "]."
Parameter submitted: ". $ StrFiltKey ."
Submit data :". $ StrFiltValue; $ this-> wlog ($ msg); $ this-> showmsg ($ msg); exit () ;}} function filter_value_for_ SQL ($ str) {$ str = str_replace ("and", "", $ str); $ str = str_replace ("execute", "", $ str ); $ str = str_replace ("update", "", $ str); $ str = str_replace ("count", "", $ str ); $ str = str_replace ("chr", "", $ str); $ str = str_replace ("mid", "", $ str ); $ str = str_replace ("master", "", $ str); $ str = str_replace ("truncate", "", $ str ); $ str = str_replace ("char", "", $ str); $ str = str_replace ("declare", "", $ str ); $ str = str_replace ("select", "", $ str); $ str = str_replace ("create", "", $ str ); $ str = str_replace ("delete", "", $ str); $ str = str_replace ("insert", "", $ str ); $ str = str_replace ("'", "", $ str); $ str = str_replace (' "'," ", $ str); $ str = str_replace ("", "", $ str); $ str = str_replace ("or", "", $ str); $ str = str_replace ("=", "", $ str ); $ str = str_replace ("", "", $ str); return $ str;} // class end}

Next we will introduce PHP Data filtering.

1. basic principles of php Data Submission and filtering

1) when submitting variables to the database, we must use addslashes () for filtering. for example, we can solve an addslashes () problem. In fact, when variable values are involved, the intval () function is also a good choice for string filtering.
2) enable magic_quotes_gpc and magic_quotes_runtime in php. ini. Magic_quotes_gpc can change the quotation marks in get, post, and cookie to a slash. Magic_quotes_runtime can be used as a format for inbound and outbound data. In fact, this parameter is very popular as early as the previous injection was crazy.
3) when using system functions, you must use the escapeshellarg () and escapeshellcmd () parameters to filter them out, so that you can safely use the system functions.
4) for cross-site, strip_tags () and htmlspecialchars () parameters are both good, and user-submitted tags with html and php will be converted. For example, the angle brackets "<" are converted to harmless characters such as "<.
$ New = htmlspecialchars ("Test", ENT_QUOTES );
Strip_tags ($ text ,);
5) filter related functions, such as the previous include (), unlink, and fopen () functions. as long as you specify the variables for the operation you want to perform or strictly filter the relevant characters, I think this will be impeccable.

2. simple PHP Data Filtering

1) warehouse receiving: trim ($ str), addslashes ($ str)
2) Outbound: stripslashes ($ str)
3) Display: htmlspecialchars (nl2br ($ str ))