PHP Filter Form Submit special characters (anti-injection)

Source: Internet
Author: User
Tags foreach html tags php file

The following is a summary of common form special character processing:

Test string:

The code is as follows Copy Code

$dbstr = ' D:test
<a href= "Http://www.111cn.net" >HTTP://WWW.111CN.NET</A>, Tian Yuan Blog
'!= ' 1 ' OR ' 1 '
</DIV>
<script language= "javascript" type= "Text/javascript" >alert ("Fail");</script>


<?php echo "<br/>php OUTPUT";?> ';

Test code:

The code is as follows Copy Code

Header ("content-type:text/html; Charset=utf-8 ");
echo "------------------------------------------------------<br/>rn";
echo $dbstr. " <br/>rn------------------------------------------------------<br/>rn ";
$str =fnaddslashes ($_post[' DD ']);
echo $str. " <br/>rn------------------------------------------------------<br/>rn ";

$str = Preg_replace ("/s (? =s)/", "\1", $str);//multiple contiguous spaces retain only one
$str = Str_replace ("R", "<br/>", $str);
$str = Str_replace ("n", "<br/>", $str);
$str = Preg_replace ("/(<br/?>)/I", "<br/>", $str);//multiple consecutive <br/> tags keep only one

$str =stripslashes ($STR);
echo strip_tags ($STR). " <br/>rn------------------------------------------------------<br/>rn ";
echo Htmlspecialchars ($STR). " <br/>rn------------------------------------------------------<br/>rn ";
echo htmlentities ($STR). " <br/>rn------------------------------------------------------<br/>rn ";
echo mysql_escape_string ($STR). " <br/>rn------------------------------------------------------<br/>rn ";

String contains: Backslash path, single double quotes, HTML tags, links, blocked HTML tags, database syntax fault tolerance, JS execution judgment, PHP execution judgment, multiple consecutive carriage return line breaks and spaces. Some of these concepts contain relationships


Second, the form submits the data processing
1, forced to join the backslash

Because some hosts default to turn on magic reference GET_MAGIC_QUOTES_GPC, some may be closed, so it is best to force a backslash in the program, which can be unified processing, the characters involved in single quotes, double quotes and backslashes.

The code is as follows Copy Code

function Fnaddslashes ($data)
{
if (!GET_MAGIC_QUOTES_GPC ())///Only increase escape for post/get/cookie data.
Return Is_array ($data) array_map (' addslashes ', $data): Addslashes ($data);
Else
return $data;
}

2, the special character processing

Here are a few common string processing, depending on the circumstances. Since the submission of the form data has been escaped once, it is necessary to consider the addition of the backslash if you need to consider the effect of addslashes on the related characters when replacing or filtering the content. Other character substitutions do not affect, such as RN replacements.

A, multiple contiguous spaces retain only one

The code is as follows Copy Code

$data = Preg_replace ("/s (? =s)/", "\1", $data);//multiple contiguous spaces retain only one

B, carriage return line replacement into <br/>

The code is as follows Copy Code
$data = Str_replace ("R", "<br/>", $data);
$data = Str_replace ("n", "<br/>", $data);

Default <br> no blocking in HTML, in XHTML <br/> blocked, recommend using <br/>, more difference:

C, multiple consecutive <br/> keep only one

The code is as follows Copy Code
$data = Preg_replace ("/(<br/?>)/I", "<br/>", $data);//multiple consecutive <br/> tags keep only one

D, all filter HTML tags

The approach is to filter all potentially dangerous tags, including HTML, links, blocked HTML tags, JS, PHP.

Use function Strip_tags ($data)

The function will filter all HTML tags (including links) and PHP tags, js code, and so on, where the link will retain the original link is only to remove <a> tags and href part of the content, PHP tags and JS tags will be the overall removal, including the middle of the content, the following figure:

E, do not filter tags, just put them html

The method is to treat all the original submissions according to the normal text.

Using the function Htmlspecialchars ($data), the function is executed to display all the submitted data in plain text, as shown in the following figure:

Use the Htmlentities function to perform results (Chinese display garbled):

Iii. writing to the database

Since Addslashes ($data) can be written directly to the database for advanced trusted users, but addslashes cannot intercept single quotes that use 0xbf27 instead, it is best to use the Mysql_real_escape_ String or mysql_escape_string is escaped, but the backslash must be removed before escaping (assuming that addslashes is turned on by default).

The code is as follows Copy Code

function Fnescapestr ($data)

{

if (GET_MAGIC_QUOTES_GPC ())
{
$data = Stripslashes ($value);
}
$data = "'". Mysql_escape_string ($value). "'";
return $data;
}

$data =fnescapestr ($data);

PHP Universal Anti-injection security code

The code is as follows Copy Code
Description
Determines whether the passed variable contains illegal characters
such as $_post, $_get
Function:
Anti-injection
**************************/
Illegal characters to filter
$ArrFiltrate =array ("'", ";", "union");
The URL to jump after an error is not filled in the default previous page
$STRGOURL = "";
Whether the value in the array exists
function Funstringexist ($StrFiltrate, $ArrFiltrate) {
foreach ($ArrFiltrate as $key => $value) {
if (eregi ($value, $StrFiltrate)) {
return true;
}
}
return false;
}
Merging $_post and $_get
if (function_exists (Array_merge)) {
$ArrPostAndGet =array_merge ($HTTP _post_vars, $HTTP _get_vars);
}else{
foreach ($HTTP _post_vars as $key => $value) {
$ArrPostAndGet []= $value;
}
foreach ($HTTP _get_vars as $key => $value) {
$ArrPostAndGet []= $value;
}
}
Verify Start
foreach ($ArrPostAndGet as $key => $value) {
if (Funstringexist ($value, $ArrFiltrate)) {
echo "Alert (/" NEEAO hint, illegal character/");
if (empty ($STRGOURL)) {
echo "History.go (-1);";
}else{
echo "window.location=/" ". $StrGoUrl." /”;”;
}
Exit
}
}
?>

/*************************
Save As Checkpostandget.php
Then add include ("checkpostandget.php") in front of each PHP file;

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.