How PHP implements form submission data validation and anti-SQL injection and XSS attacks

Source: Internet
Author: User
This article mainly introduces the PHP implementation of form submission data validation processing function, can achieve anti-SQL injection and XSS attacks, including PHP character processing, encoding conversion related operation skills, the need for friends can refer to the next

In this paper, we describe the validation and processing function of PHP to implement form submission data. Share to everyone for your reference, as follows:

Anti-XSS Attack code:


/** * Security Filter function * * @param $string * @return string */function safe_replace ($string) {$string = Str_replace ('%20 ', ', $string ); $string = Str_replace ('%27 ', ' ', $string); $string = Str_replace ('%2527 ', ' ', $string); $string = Str_replace (' * ', ' ', $string); $string = Str_replace (' "', '" ', $string); $string = Str_replace ("'", "', $string); $string = Str_replace (' "', ' ', $string); $string = Str_replace ('; ', ' ', $string); $string = Str_replace (' < ', ' < ', $string); $string = Str_replace (' > ', ' > ', $string); $string = Str_replace ("{", "', $string); $string = Str_replace ('} ', ' ', $string); $string = str_replace (' \ \ ', ' ', $string); return $string;}

code example:


<?php$user_name = Strim ($_request[' user_name ')), function Strim ($str) {//trim () functions remove white space characters or other predefined characters on either side of the string. The Htmlspecialchars () function converts pre-defined characters to HTML entities (anti-XSS attacks). The predefined characters are://& (and sign) becomes &//"(double quotes) becomes"//' (single quote) becomes '//< (less than) becomes <//> (greater than) becomes > return quotes (htmlspecia Lchars (Trim ($STR)));} Anti-SQL injection function quotes ($content) {//if $content is an array if (Is_array ($content)) {  foreach ($content as $key =>$ Value)  {   //$content [$key] = mysql_real_escape_string ($value);   The/*addslashes () function returns a string that adds a backslash before a predefined character.   predefined characters are:   single quotation mark (')   double quotation mark (') backslash   (\)   NULL */   $content [$key] = addslashes ($value);  }} else {  //if $content isn't an array  //$content =mysql_real_escape_string ($content);  $content =addslashes ($content); } return $content;}? >


Filter SQL injection function filter_injection (& $request) {$pattern = "/(select[\s]) | ( Insert[\s]) | (update[\s]) | (delete[\s]) | (from[\s]) | (where[\s])/I "; foreach ($request as $k = + $v) {    if (Preg_match ($pattern, $k, $match))    {die      ("SQL injection denied!");    }    if (Is_array ($v))    {     filter_injection ($request [$k]);    }    else    {     if (Preg_match ($pattern, $v, $match))     {die      ("SQL injection denied!");    }}}

anti-SQL injection:

mysql_real_escape_string()The function escapes special characters in the string used in the SQL statement.

The following characters are affected:

\x00
\ n
\ r
'

\x1a

If successful, the function returns the escaped string. If it fails, it returns false.

Grammar

mysql_real_escape_string(string,connection)

Parameters Description
string is required. Specifies the string to be escaped.
Connection is optional. Specify MySQL connection. If not specified, the previous connection is used.

A checksum for a purely numeric or numeric string can be used

is_numeric()Detects if a variable is a numeric or numeric string

Instance:


<?php function Get_numeric ($val) {  if (is_numeric ($val)) {  return $val + 0;  }  return 0; }?>

Is_array -detects if the variable is an array
bool is_array ( mixed $var )
Returns TRUE if Var is an array, otherwise FALSE.

Is_dir Determines whether a given file name is a directory
bool is_dir ( string $filename )
Determines whether a given file name is a directory.
Returns TRUE if the file name exists and is a directory, otherwise false is returned.

is_file -Determine if the given file name is a normal file
bool is_file ( string $filename )
Determines whether the given file name is a normal file.
Returns TRUE if the file exists and is normal, otherwise FALSE.
Note:
Because the integer type of PHP is signed integer and many platforms use 32-bit integers, some file system functions may return unexpected results for files above 2GB.

Is_bool -detects if a variable is a Boolean type
bool is_bool ( mixed $var )
Returns TRUE if Var is a Boolean.

is_string -detects if a variable is a string
bool is_string ( mixed $var )
Returns TRUE if Var is a string, otherwise FALSE.

Is_int -detects if the variable is an integer
bool is_int ( mixed $var )
Returns TRUE if Var is an integer, otherwise FALSE.
Note:
If you want to test whether a variable is a numeric or numeric string (such as form input, which is usually a string), you must use Is_numeric ().

is_float -detects if the variable is floating-point
bool is_float ( mixed $var )
Returns TRUE if Var is float, otherwise FALSE.
Note:
If you want to test whether a variable is a numeric or numeric string (such as form input, which is usually a string), you must use Is_numeric ().

Is_null -detects if the variable is null
bool is_null ( mixed $var )
Returns TRUE if VAR is null, otherwise FALSE.

is_readable -Determines whether a given file name is readable
bool is_readable ( string $filename )
Determines whether the given file name exists and is readable. Returns TRUE if the file or directory specified by filename is present and is readable, otherwise FALSE.

is_writable -Determines whether a given file name can be written
bool is_writable ( string $filename )
Returns TRUE if the file exists and is writable. The filename parameter can be a directory name that allows for a writable check.

file_exists -Check whether a file or directory exists
bool file_exists ( string $filename )
Checks whether a file or directory exists.
In Windows, you use//computername/share/filename or \computername\share\filename to check for shared files on your network.
Returns TRUE if the file or directory specified by filename is present, otherwise FALSE.

is_executable -Determines whether the given file name is executable
bool is_executable ( string $filename )
Determines whether the given file name can be executed. Returns TRUE if the file exists and can be executed, false when the error is returned.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.