Overall anti-injection method in PHP website

Anti-injection

When writing code today, it suddenly occurred to me that it was not possible to use a file to handle all the sites that might have been injected. This saves time and code by not filtering each variable in every program.

We are mainly from two points, because our obtained variables are usually through get or post way over, then we simply filter the gets and post over the variables, then we can achieve the effect of preventing injection. And our PHP is really very good, has built-in $_get and $_post two arrays to store all variables, we have to do is to filter each variable on it.

Here's a look at the specific code:

* Author:heiyeluren * *
/* Filter all get over variable * *
foreach ($_get as $get _key=> $get _var)
{
if (Is_numeric ($get _var))
if (Is_numeric ($get _var)) {
$get [Strtolower ($get _key)] = Get_int ($get _var);
} else {
$get [Strtolower ($get _key)] = Get_str ($get _var);
}
}

* * Filter all post variables.
foreach ($_post as $post _key=> $post _var)
{
if (Is_numeric ($post _var)) {
$post [Strtolower ($post _key)] = Get_int ($post _var);
} else {
$post [Strtolower ($post _key)] = Get_str ($post _var);
}
}

/* Filter Function * *
Integer Filter function
function Get_int ($number)
{
Return Intval ($number);
}
string-Type Filter functions
function Get_str ($string)
{
if (!GET_MAGIC_QUOTES_GPC ()) {
Return addslashes ($string);
}
return $string;
}

So we put the above code in a public file, such as security.inc.php inside, each file include this file, then can give any one of the program to submit all the variables to filter, to achieve the effect of our once and for all.

In addition, there are some other filtering methods, such as the use of the keyword I used to filter the method: http://dev.csdn.net/article/71/71475.shtm
You can also refer to the three-foot ice writing method: Http://www.fanghei.com/html/2005-06/20050607114008.htm

The method is different, but the core is for our code to be more secure.

Author:heiyeluren
Date:2005-7-20