A method _php instance of the YII framework to prevent SQL injection, XSS attack and CSRF attack

This article illustrates the YII framework's approach to preventing SQL injection, XSS attacks, and csrf attacks. Share to everyone for your reference, specific as follows:

The methods commonly used in PHP are:

/* Anti-SQL injection, XSS attack (1)/function Actionclean ($str) {$str =trim ($STR);
    $str =strip_tags ($STR);
    $str =stripslashes ($STR);
    $str =addslashes ($STR);
    $str =rawurldecode ($STR);
    $str =quotemeta ($STR);
    $str =htmlspecialchars ($STR); Remove special characters $str =preg_replace ("/\/|\~|\!| \@|\#|\\$|\%|\^|\&|\*|\ (|\) |\_|\+|\{|\}|\:|\<|\>|\?| \[|\]|\,|\.|
    \/|\;|\ ' |\ ' |\-|\=|\\\|\|/', ' ", $str);
$str =preg_replace ("/\s/", "", $str);//remove spaces, line breaks, tab return $STR;} Prevent SQL injection. XSS Attack (1) Public function Actionfilterarr ($arr) {if (Is_array ($arr)) {foreach ($arr as $k => $v) {$arr [
      $k] = $this->actionfilterwords ($v);
    }else{$arr = $this->actionfilterwords ($arr);
return $arr; //Prevent XSS attacks public function actionfilterwords ($str) {$farr = Array ("/<" (\\/?) (script|i?frame|style|html|body|title|link|meta|object|\\?| \\%) ([^>]*?) >/isu ","/(<[^>]*) on[a-za-z]+\s*= ([^>]*>)/isu ","/select|insert|updatE|delete|drop|\ ' |\/\*|\*|\+|\-|\ "|\.\.\/|\.\/|union|into|load_file|outfile|dump/is");
    $str = Preg_replace ($farr, ', $str);
return $str; //Prevent SQL injection, XSS attack (2) Public function Post_check ($post) {if (!GET_MAGIC_QUOTES_GPC ()) {foreach ($post as $key =>$
     val) {$post [$key] = addslashes ($val);
    foreach ($post as $key => $val) {//filter out "_" $post [$key] = Str_replace ("_", "\_", $val); "%" to filter out $post [$key] = str_replace ("%", "\%", $val);
    SQL injection $post [$key] = NL2BR ($val); Convert HTML $post [$key] = Htmlspecialchars ($val);
XSS attack} return $post;

 }

Call:

Prevent SQL
$post = $this->post_check ($_post);
Var_dump ($post);d ie;
$u _name=trim ($post [' u_name ']);
$pwd =trim ($post [' pwd ']);
if (Empty ($u _name) | | Empty ($pwd))
{
  exit (' field cannot be Non-null ');
}
$u _name= $this->actionfilterarr ($u _name);
$pwd = $this->actionfilterarr ($pwd);
Prevent SQL injection, XSS attacks
$u _name= $this->actionclean (Yii:: $app->request->post (' u_name '));
$pwd = $this->actionclean (Yii:: $app->request->post (' pwd '));
$email = $this->actionclean (Yii:: $app->request->post (' email '));
Prevent CSRF attacks
$session =yii:: $app->session;
$CSRF _TOKEN=MD5 (Uniqid (rand (), TRUE);
$session->set (' token ', $csrf _token);
$session->set (' token ', Time ());
Receive Data
if ($_post)
{
  if (empty ($session->get (' token ')) && $session->get (' token ')!=yii :: $app->request->post (' token ') && (Time ()-$session->get (' Token_time ')) >30) {
    exit (' CSRF attack ');
  }
  Prevent SQL
  .....

(must be placed outside the receiving data)

Attention:

form submission value, in order to prevent CSRF attacks, the controller needs to add:

Close CSRF
piblic $enableCsrfValidation = false;

For more information on YII-related content, readers who are interested in this site can view the topics: Introduction to YII Framework and summary of common skills, "Summary of PHP Excellent development framework", "Smarty Template Introductory Course", "Introduction to PHP object-oriented programming", "PHP string" Summary of Usage , "Php+mysql Database operation Introduction Tutorial" and "PHP common database Operation Skills Summary"

I hope this article will help you with the PHP program design based on the YII framework.