PHP parameter filtering, data filtering detailed, PHP detailed
Here is a piece of code to introduce PHP parameter filtering
Class mysafe{public $logname; public $isshwomsg; function __construct () {set_error_handler (' myerror ', e_all); -----} function Myerror ($errno, $errstr, $errfile, $errline) {echo 'Error Number:[$errno],error on line $errline in $errfile
"; Exit } function Wlog ($logs) {if (empty ($logname)) {$this->logname=$_server["document_root"]. " /log.htm "; } $Ts =fopen ($this->logname, "A +"); Fputs ($Ts, $logs. " \ r \ n "); Fclose ($Ts); } function showmsg ($msg = ', $flag =false) {$this->isshwomsg=empty ($this->isshwomsg)? false:true; if ($this->isshwomsg) {echo '
--------------------------------------
'; Echo $msg; Echo '
--------------------------------------
'; if ($flag) exit; }} function Get_filter () {$getfilter = "' | ( And|or) \\b.+? (>|<|=|in|like) |\\/\\*.+?\\*\\/|<\\s*script\\b|\\bexec\\b| Union.+? Select| Update.+? Set| Insert\\s+into.+? values| (select| DELETE). +? From| (create| alter| drop| TRUNCATE) \\s+ (table| DATABASE) "; foreach ($_get as $key = $value) {$this->stopattack ($key, $value, $getfilter); }} function Post_filter () {$postfilter = "\\b (and|or) \\b.{1,6}?" ( =|>|<|\\bin\\b|\\blike\\b) |\\/\\*.+?\\*\\/|<\\s*script\\b|\\bexec\\b| Union.+? Select| Update.+? Set| Insert\\s+into.+? values| (select| DELETE). +? From| (create| alter| drop| TRUNCATE) \\s+ (table| DATABASE) "; foreach ($_post as $key = $value) {$this->stopattack ($key, $value, $postfilter); }} function Cookie_filter () {$cookiefilter = "\\b (and|or) \\b.{1,6}?" ( =|>|<|\\bin\\b|\\blike\\b) |\\/\\*.+?\\*\\/|<\\s*script\\b|\\bexec\\b| Union.+? Select| Update.+? Set| Insert\\s+into.+? values| (select| DELETE). +? From| (create| alter| drop| TRUNCATE) \\s+ (table| DATABASE) "; foreach ($_cookIE as $key = $value) {$this->stopattack ($key, $value, $cookiefilter); }}//filter parameter function stopattack ($StrFiltKey, $StrFiltValue, $ArrFiltReq) {if (Is_array ($StrFiltValue)) {$StrFiltValue = Implode ($StrFiltValue); } if (Preg_match ("/". $ArrFiltReq. " /is ", $StrFiltValue) ==1) {$msg ="
Operation IP: ". $_server[" REMOTE_ADDR "]."
Operating time: ". Strftime ("%y-%m-%d%h:%m:%s ")."
Action page: ". $_server[" Php_self "]."
Submission method: ". $_server[" Request_method "]."
Submit parameter: ". $StrFiltKey."
Submit data: ". $StrFiltValue; $this->wlog ($msg); $this->showmsg ($msg); Exit (); }} function Filter_value_for_sql ($str) {$str = Str_replace ("and", "", $str); $str = Str_replace ("Execute", "", $str); $str = Str_replace ("Update", "", $str); $str = Str_replace ("Count", "", $str); $str = Str_replace ("Chr", "", $str); $str = Str_replace ("Mid", "", $str); $str = Str_replace ("Master", "", $str); $str = Str_replace ("Truncate", "", $str); $str = Str_replace ("char", "", $str); $str = Str_replace ("Declare", "", $str); $str = Str_replace ("Select", "", $str); $str = Str_replace ("Create", "", $str); $str = str_replace ("delete", "", $str); $str = Str_replace ("Insert", "", $str); $str = Str_replace ("'", "" ", $str); $str = Str_replace (' "'," ", $str); $str = Str_replace ("", "" ", $str); $str = Str_replace ("or", "", $str); $str = str_replace ("=", "", $str); $str = Str_replace ("", "" ", $str); return $str; }//class End}
below to introduce you to the PHP data filtering
1. The basic principles of PHP submission data filtering
1) When committing variables into the database, we must use Addslashes () to filter, like our injection problem, a addslashes () will be done. In fact, when it comes to variable values, the Intval () function is also a good choice for filtering strings.
2) Open MAGIC_QUOTES_GPC and Magic_quotes_runtime in php.ini. MAGIC_QUOTES_GPC can turn the quotes in the Get,post,cookie into slashes. Magic_quotes_runtime the data in and out of the database can play the role of format. In fact, as early as the previous injection is crazy, this parameter is very popular.
3) When using system functions, you must use the Escapeshellarg (), escapeshellcmd () parameters to filter, so you can rest assured that the use of system functions.
4) for cross-site, Strip_tags (), Htmlspecialchars () Two parameters are good, for the user submitted with HTML and PHP markup will be converted. For example, the angle brackets "<" will be converted to "<" such harmless characters.
$new = Htmlspecialchars ("Test", ent_quotes);
Strip_tags ($text,);
5) for the filtering of related functions, just like the previous include (), Unlink,fopen () and so on, as long as you specify the variables you want to perform the action or filter the relevant characters closely, I think this is also invulnerable.
2, PHP simple data filtering
1) Warehousing: Trim ($STR), Addslashes ($STR)
2) Out of stock: Stripslashes ($STR)
3) Display: Htmlspecialchars (NL2BR ($STR))
http://www.bkjia.com/PHPjc/1065158.html www.bkjia.com true http://www.bkjia.com/PHPjc/1065158.html techarticle PHP parameter filtering, data filtering detailed, PHP detailed below through a section of code to introduce PHP parameter filter class mysafe{public $logname; public $isshwomsg; function __construct () { S ...