PHP Filter HTML string to prevent SQL injection of instance code

PHP Filter HTML string to prevent SQL injection of instance code _php tutorial

Last Update:2016-07-21 Source: Internet

Author: User

Tags keyword list

Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more ＞

PHP Filters HTML strings, prevents SQL injection, and uses functions to filter out illegal information, as well as malicious HTML code, by using a string that will be written to the database.

Code:

PHP Batch filter Post,get sensitive data
if (GET_MAGIC_QUOTES_GPC ()) {
$_get = Stripslashes_array ($_get);
$_post = Stripslashes_array ($_post);
}

Function Stripslashes_array (& $array) {
while (list ($key, $var) = each ($array)) {
if ($key! = ' argc ' && $key! = ' argv ' && (Strtoupper ($key)! = $key | | ". Intval ($key) = =" $key ")) {
if (is_string ($var)) {
$array [$key] = stripslashes ($var);
}
if (Is_array ($var)) {
$array [$key] = Stripslashes_array ($var);
}
}
}
return $array;
}
Filter
function HTMLEncode ($STR) {
if (empty ($STR)) return;
if ($str = = "") return $str;
$str =trim ($STR);
$str =str_replace ("&", "&", $STR);
$str =str_replace (">", ">", $str);
$str =str_replace ("<", "<", $str);
$str =str_replace (CHR), "", $str);
$str =str_replace (Chr (9), "", $str);
$str =str_replace (Chr (9), "", $str);
$str =str_replace (CHR), "&", $STR);
$str =str_replace (CHR), "'", $str);
$str =str_replace (Chr (13), "
", $STR);
$str =str_replace ("'", "'", $str);
$str =str_replace ("Select", "select", $str);
$str =str_replace ("script", "script", $STR);
$str =str_replace ("script", "script", $STR);
$str =str_replace ("Join", "join", $STR);
$str =str_replace ("union", "union", $STR);
$str =str_replace ("where", "where", $str);
$str =str_replace ("Insert", "Insert", $STR);
$str =str_replace ("delete", "delete", $str);
$str =str_replace ("Update", "Update", $STR);
$str =str_replace ("like", "like", $STR);
$str =str_replace ("Drop", "drop", $str);
$str =str_replace ("Create", "create", $STR);
$str =str_replace ("Modify", "Modify", $str);
$str =str_replace ("rename", "Rename", $str);
$STR =str_replace ("Alter", "Alter", $STR);
$str =str_replace ("Cast", "CAS", $str);
return $str;
}

Decoding
function HtmlDecode ($STR) {
if (empty ($STR)) return;
if ($str = = "") return $str;
$str =str_replace ("Select", "select", $str);
$str =str_replace ("Join", "join", $STR);
$str =str_replace ("union", "union", $STR);
$str =str_replace ("where", "where", $str);
$str =str_replace ("Insert", "Insert", $STR);
$str =str_replace ("delete", "delete", $str);
$str =str_replace ("Update", "Update", $STR);
$str =str_replace ("like", "like", $STR);
$str =str_replace ("Drop", "drop", $str);
$str =str_replace ("Create", "create", $STR);
$str =str_replace ("Modify", "Modify", $str);
$str =str_replace ("rename", "Rename", $str);
$STR =str_replace ("Alter", "Alter", $STR);
$str =str_replace ("cas", "cast", $STR);
$str =str_replace ("&", "&", $STR);
$str =str_replace (">", ">", $str);
$str =str_replace ("<", "<", $str);
$str =str_replace ("", Chr (+), $str);
$str =str_replace ("", Chr (9), $STR);
$str =str_replace ("", Chr (9), $STR);
$str =str_replace ("&", CHR, $STR);
$str =str_replace ("'", Chr (), $STR);
$str =str_replace ("
, Chr (+), $str);
$str =str_replace ("'" "," ' ", $str);
return $str;
}

Function: String_filter ($string, $match _type=1)
Function: Filter illegal content
Parameters:
$string the string to check
$match _type Match type, 1 for exact match, 2 for Fuzzy match, default to 1
//
Returned: There is illegal content returned true, no illegal content returned false
Other: illegal keyword list is saved in TXT file, divided into common illegal keyword and serious illegal keyword two lists
Author: Heiyeluren
Date: 2006-1-18
//
//======================================================================
function Lib_lawless_string_filter ($string, $match _type=1)
{
String null directly returned as illegal
$string = Trim ($string);
if (empty ($string))
{
return false;
}
Get a list of important keywords and common keywords
$common _file = "Common_list.txt"; List of generic filter keywords
$signify _file = "Signify_list.txt"; Important Filter Keyword List
If any list file does not exist directly return false, otherwise the two file list is read into two arrays
if (!file_exists ($common _file) | | |!file_exists ($signify _file))
{
return false;
}
$common _list = file ($common _file);
$signify _list = file ($signify _file);

Exact match
if ($match _type = = 1)
{
$is _lawless = Exact_match ($string, $common _list);
}

Fuzzy matching
if ($match _type = = 2)
{
$is _lawless = Blur_match ($string, $common _list, $signify _list);
}

Determine if there is data in the search result array, and if so, prove to be illegal
if (Is_array ($is _lawless) &&!empty ($is _lawless))
{
return true;
}
Else
{
return false;
}
}

//---------------------
Exact Match for filtering services
//---------------------
function Exact_match ($string, $common _list)
{
$string = Trim ($string);
$string = Lib_replace_end_tag ($string);

Retrieving a list of common filter keywords
foreach ($common _list as $block)
{
$block = Trim ($block);
if (Preg_match ("/^ $string $/i", $block))
{
$blist [] = $block;
}
}
Determine if there are any filtered contents in the array
if (!empty ($blist))
{
Return Array_unique ($blist);
}

return false;
}

//----------------------
Fuzzy matching for filtering services
//----------------------
function Blur_match ($string, $common _list, $signify _list)
{
$string = Trim ($string);
$s _len = strlen ($string);
$string = Lib_replace_end_tag ($string);

Retrieving a list of common filter keywords
foreach ($common _list as $block)
{
$block = Trim ($block);
if (Preg_match ("/^ $string $/i", $block))
{
$blist [] = $block;
}
}
Retrieving a list of critical filter keywords
foreach ($signify _list as $block)
{
$block = Trim ($block);
if ($s _len>=strlen ($block) && preg_match ("/$block/I", $string))
{
$blist [] = $block;
}
}
Determine if there are any filtered contents in the array
if (!empty ($blist))
{
Return Array_unique ($blist);
}

return false;
}

//--------------------------
Replace HTML footer tags for filtering services
//--------------------------
function Lib_replace_end_tag ($STR)
{
if (empty ($STR)) return false;
$str = Htmlspecialchars ($STR);
$str = Str_replace ('/', "", $str);
$str = str_replace ("\ \", "", $str);
$str = Str_replace (">", "", $str);
$str = Str_replace ("<", "", $str);
$str = Str_replace ("", "" ", $str);
$str = Str_replace ("", "" ", $str);
$str =str_replace ("Select", "select", $str);
$str =str_replace ("Join", "join", $STR);
$str =str_replace ("union", "union", $STR);
$str =str_replace ("where", "where", $str);
$str =str_replace ("Insert", "Insert", $STR);
$str =str_replace ("delete", "delete", $str);
$str =str_replace ("Update", "Update", $STR);
$str =str_replace ("like", "like", $STR);
$str =str_replace ("Drop", "drop", $str);
$str =str_replace ("Create", "create", $STR);
$str =str_replace ("Modify", "Modify", $str);
$str =str_replace ("rename", "Rename", $str);
$STR =str_replace ("Alter", "Alter", $STR);
$str =str_replace ("cas", "cast", $STR);
$str =str_replace ("&", "&", $STR);
$str =str_replace (">", ">", $str);
$str =str_replace ("<", "<", $str);
$str =str_replace ("", Chr (+), $str);
$str =str_replace ("", Chr (9), $STR);
$str =str_replace ("", Chr (9), $STR);
$str =str_replace ("&", CHR, $STR);
$str =str_replace ("'", Chr (), $STR);
$str =str_replace ("
, Chr (+), $str);
$str =str_replace ("'" "," ' ", $str);
$str =str_replace ("CSS", "'", $str);
$str =str_replace ("CSS", "'", $str);

return $str;

HTML tags, which can be filtered as extensions
/*
$tags = Array ("/html", "/head", "/body", "/div", "/span", "/doctype", "/title", "/link", "/meta", "/style", "/P", "/h1,", "/h2,", "/h3,", "/h4,", "/h5,", "/h6", "/strong", "/em", "/abbr", "/acronym", "/address", "/bdo", "/blockquote", "/cite", "/q", "/code", "/ins", "/del", "/DFN", "/kbd", "/pre", "/samp", "/var", "/br", "/A", "/img", "/area", "/map", "/object", " /param ","/ul ","/ol ","/li ","/dl ","/dt ","/dd ","/table ","/tr ","/td ","/th ","/tbody ","/thead ","/tfoot ","/col ","/ Colgroup ","/caption ","/form ","/input ","/textarea ","/select ","/option ","/optgroup ","/button ","/label ","/ FieldSet ","/legend ","/script ","/noscript ","/b ","/I ","/tt ","/sub ","/sup ","/big ","/small ","/hr ");
*/

}

Code:

The references are directly like this:
$xxx = htmlspecialchars ($_post[' xxx ');
Or
$xxx = htmlspecialchars ($_get[' xxx ');

http://www.bkjia.com/PHPjc/364771.html www.bkjia.com true http://www.bkjia.com/PHPjc/364771.html techarticle PHP Filters HTML strings, prevents SQL injection, and uses functions to filter out illegal information, as well as malicious HTML code, by using a string that will be written to the database. Code://php Batch Filter P ...



This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

Sales Support

1 on 1 presale consultation

Chat Contact Sales
After-Sales Support

24/7 Technical Support 6 Free Tickets per Quarter Faster Response

Open a Ticket
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

Learn More