PHP Filter Form Submit special characters (anti-injection)

The following is a summary of common form special character processing:

Test string:

The code is as follows	Copy Code
$dbstr = ' D:test <a href= "Http://www.111cn.net" >HTTP://WWW.111CN.NET</A>, Tian Yuan Blog '!= ' 1 ' OR ' 1 ' </DIV> <script language= "javascript" type= "Text/javascript" >alert ("Fail");</script> <?php echo "<br/>php OUTPUT";?> ';

Test code:

The code is as follows

Copy Code

Header ("content-type:text/html; Charset=utf-8 "); echo "------------------------------------------------------<br/>rn"; echo $dbstr. " <br/>rn------------------------------------------------------<br/>rn "; $str =fnaddslashes ($_post[' DD ']); echo $str. " <br/>rn------------------------------------------------------<br/>rn "; $str = Preg_replace ("/s (? =s)/", "\1", $str);//multiple contiguous spaces retain only one $str = Str_replace ("R", "<br/>", $str); $str = Str_replace ("n", "<br/>", $str); $str = Preg_replace ("/(<br/?>)/I", "<br/>", $str);//multiple consecutive <br/> tags keep only one $str =stripslashes ($STR); echo strip_tags ($STR). " <br/>rn------------------------------------------------------<br/>rn "; echo Htmlspecialchars ($STR). " <br/>rn------------------------------------------------------<br/>rn "; echo htmlentities ($STR). " <br/>rn------------------------------------------------------<br/>rn "; echo mysql_escape_string ($STR). " <br/>rn------------------------------------------------------<br/>rn ";

String contains: Backslash path, single double quotes, HTML tags, links, blocked HTML tags, database syntax fault tolerance, JS execution judgment, PHP execution judgment, multiple consecutive carriage return line breaks and spaces. Some of these concepts contain relationships

Second, the form submits the data processing
1, forced to join the backslash

Because some hosts default to turn on magic reference GET_MAGIC_QUOTES_GPC, some may be closed, so it is best to force a backslash in the program, which can be unified processing, the characters involved in single quotes, double quotes and backslashes.

The code is as follows	Copy Code
function Fnaddslashes ($data) { if (!GET_MAGIC_QUOTES_GPC ())///Only increase escape for post/get/cookie data. Return Is_array ($data) array_map (' addslashes ', $data): Addslashes ($data); Else return $data; }

2, the special character processing

Here are a few common string processing, depending on the circumstances. Since the submission of the form data has been escaped once, it is necessary to consider the addition of the backslash if you need to consider the effect of addslashes on the related characters when replacing or filtering the content. Other character substitutions do not affect, such as RN replacements.

A, multiple contiguous spaces retain only one

The code is as follows	Copy Code
$data = Preg_replace ("/s (? =s)/", "\1", $data);//multiple contiguous spaces retain only one

B, carriage return line replacement into <br/>

The code is as follows	Copy Code
$data = Str_replace ("R", "<br/>", $data); $data = Str_replace ("n", "<br/>", $data);

Default <br> no blocking in HTML, in XHTML <br/> blocked, recommend using <br/>, more difference:

C, multiple consecutive <br/> keep only one

The code is as follows	Copy Code
$data = Preg_replace ("/(<br/?>)/I", "<br/>", $data);//multiple consecutive <br/> tags keep only one

D, all filter HTML tags

The approach is to filter all potentially dangerous tags, including HTML, links, blocked HTML tags, JS, PHP.

Use function Strip_tags ($data)

The function will filter all HTML tags (including links) and PHP tags, js code, and so on, where the link will retain the original link is only to remove <a> tags and href part of the content, PHP tags and JS tags will be the overall removal, including the middle of the content, the following figure:

E, do not filter tags, just put them html

The method is to treat all the original submissions according to the normal text.

Using the function Htmlspecialchars ($data), the function is executed to display all the submitted data in plain text, as shown in the following figure:

Use the Htmlentities function to perform results (Chinese display garbled):

Iii. writing to the database

Since Addslashes ($data) can be written directly to the database for advanced trusted users, but addslashes cannot intercept single quotes that use 0xbf27 instead, it is best to use the Mysql_real_escape_ String or mysql_escape_string is escaped, but the backslash must be removed before escaping (assuming that addslashes is turned on by default).

The code is as follows	Copy Code
function Fnescapestr ($data) { if (GET_MAGIC_QUOTES_GPC ()) { $data = Stripslashes ($value); } $data = "'". Mysql_escape_string ($value). "'"; return $data; } $data =fnescapestr ($data);

PHP Universal Anti-injection security code

The code is as follows

Copy Code

Description Determines whether the passed variable contains illegal characters such as $_post, $_get Function: Anti-injection **************************/ Illegal characters to filter $ArrFiltrate =array ("'", ";", "union"); The URL to jump after an error is not filled in the default previous page $STRGOURL = ""; Whether the value in the array exists function Funstringexist ($StrFiltrate, $ArrFiltrate) { foreach ($ArrFiltrate as $key => $value) { if (eregi ($value, $StrFiltrate)) { return true; } } return false; } Merging $_post and $_get if (function_exists (Array_merge)) { $ArrPostAndGet =array_merge ($HTTP _post_vars, $HTTP _get_vars); }else{ foreach ($HTTP _post_vars as $key => $value) { $ArrPostAndGet []= $value; } foreach ($HTTP _get_vars as $key => $value) { $ArrPostAndGet []= $value; } } Verify Start foreach ($ArrPostAndGet as $key => $value) { if (Funstringexist ($value, $ArrFiltrate)) { echo "Alert (/" NEEAO hint, illegal character/"); if (empty ($STRGOURL)) { echo "History.go (-1);"; }else{ echo "window.location=/" ". $StrGoUrl." /”;”; } Exit } } ?>

/*************************
Save As Checkpostandget.php
Then add include ("checkpostandget.php") in front of each PHP file;