PHP Anti-injection Function code Summary _php Tutorial

Anti-injection in PHP generally write a global file to filter special strings, this article summarizes a variety of PHP anti-injection function code, but also anti-SQL injection can be consulted.

For security, we used the following function to filter out some of the illegal characters passed in:

PHP Anti-injection function

The code is as follows

Copy Code

< p>!--? PHP //to filter illegal characters $ArrFiltrate =array ("'", ";", "union", "select", "delete", "'", "or", "and", "="); The URL to jump after the error, without filling the default previous page $StrGoUrl = ""; Whether there is a value in the array function funstringexist ($StrFiltrate, $ArrFiltrate) { foreach ($ArrFiltrate as $key = = $value) { if (eregi ($value, $StrFiltrate)) { return true; } } return false; } //merge $_post and $_get if (function_exists (Array_merge)) { $ArrPostAndGet =array_merge ($HTTP _post_vars, $HTTP _ Get_vars); }else{ foreach ($HTTP _post_vars as $key = = $value) { $ArrPostAndGet []= $value; } foreach ($HTTP _get_vars as $key = + $value) { $ArrPostAndGet []= $value; } } //Validation starts foreach ($ArrPostAndGet as $key = $value) { if (funstringexist ($value, $ArrFiltrate)) { If (Empty ($STRGOURL)) { echo ""; }else{ Echo ""; } Exit; } }

Look at an example similar to the above, this is the method used by the DZ forum

The code is as follows

Copy Code

$magic _QUOTES_GPC = GET_MAGIC_QUOTES_GPC (); @extract (Daddslashes ($_cookie)); @extract (Daddslashes ($_post)); @extract (Daddslashes ($_get)); if (! $magic _QUOTES_GPC) { $_files = Daddslashes ($_files); } function Daddslashes ($string, $force = 0) { if (! $GLOBALS [' MAGIC_QUOTES_GPC '] | | $force) { if (Is_array ($string)) { foreach ($string as $key = = $val) { $string [$key] = Daddslashes ($val, $force); } } else { $string = Addslashes ($string); } } return $string; }

Finally, a stronger version of the

The code is as follows

Copy Code

$field = Explode (', ', $data); Array_walk ($field, Array ($this, ' Add_special_char ')); $data = Implode (', ', $field); /** * Add anti-quotes on both sides of the field to keep the database secure * @param $value Array values */ Public Function Add_special_char (& $value) { if (' * ' = = $value | | False!== strpos ($value, ' (') | | false!== strpos ($value, '. ') | | false!== strpos ($value, ")) { Do not process include * or use the SQL method. } else { $value = ". Trim ($value). ' `'; } return $value; } function Str_filter ($STR) { $str = Htmlspecialchars ($STR); if (! GET_MAGIC_QUOTES_GPC ()) { $str = Addslashes ($STR); } Filter Dangerous characters Return Preg_replace ("/[" ' =]| ( and) | (OR) | (Create) | (update) | (ALTER) | (delete) | (insert) | (Load_file) | (outfile) | (count) | (%20) | (char)/I "," ", $str); } /* Function name: Str_check () Function: Filter the submitted string Parameter: $var: The string to be processed Return value: Returns the filtered string */ function Str_check ($STR) { if (! GET_MAGIC_QUOTES_GPC ()) {//Determine if MAGIC_QUOTES_GPC is open $str = Addslashes ($STR); To filter } $str = Str_replace ("_", "_", $str); Filter out the ' _ ' $str = str_replace ("%", "%", $str); Filter out the '% ' return $str; } /* Function Name: Post_check () Function: processing the submitted edits parameter: $post: What to submit return value: $post: Return filtered content */ Function post _check ($post) { if (! GET_MAGIC_QUOTES_GPC ()) {//Determines whether MAGIC_QUOTES_GPC is open $post = addslashes ($post);//Mag IC_QUOTES_GPC does not open the filter for the submitted data } $post = Str_replace ("_", "_", $post);//filter out the $post = str_replace ("%", "%", $post); Filter '% ' away $post = NL2BR ($post);//return conversion $post = Htmlspecialchars ($post);//html tag conversion return $post; /* Function Name: Inject_check () Function: detects whether the submitted value is a character that contains SQL injections, prevents injections, and protects the server security parameter: $sql _STR: Committed variable Return value: Returns the test result, Ture or False */ Function Inject_check ($sql _str) { return eregi (' select|insert|and|or|update|delete| ' | /*|*|.. /|. /|union|into|load_file|outfile ', $sql _str); Filter for } /* Function name: verify_id () Function: Verify that the ID class value of the commit is legal Parameter: $id: The ID value of the Commit Return value: Returns the processed ID */ function verify_id ($id =null) { if (! $id) {exit (' No arguments are submitted! '); }//Is null-judged ElseIf (Inject_check ($id)) {exit (' argument submitted is illegal! '); }//Injection judgment ElseIf (!is_numeric ($id)) {exit (' argument submitted is illegal! '); }//Digital judgment $id = Intval ($id); The whole type of return $id; } $rptype = 0 means only HTML tags are replaced $rptype = 1 to replace HTML tags while removing contiguous whitespace characters $rptype = 2 to replace HTML tags while removing all whitespace characters $rptype = 1 means that only HTML-dangerous tokens are replaced function Htmlreplace ($str, $rptype = 0) { $str = Stripslashes ($STR); if ($rptype = = 0) { $str = Htmlspecialchars ($STR); } else if ($rptype = = 1) { $str = Htmlspecialchars ($STR); $str = Str_replace ("", "', $str); $str = Ereg_replace ("[Rnt]{1,}", ", $str); } else if ($rptype = = 2) { $str = Htmlspecialchars ($STR); $str = Str_replace ("", "', $str); $str = Ereg_replace ("[Rnt]", "', $str); } else { $str = Ereg_replace ("[Rnt]{1,}", ", $str); $str = eregi_replace (' script ', ' script ', $str); $str = Eregi_replace ("<[/]{0,1} (Link|meta|ifr|fra) [^>]*>", ", $str); } Return addslashes ($STR); } Recursive ddslashes function Daddslashes ($string, $force = 0, $strip = FALSE) { if (! GET_MAGIC_QUOTES_GPC () | | $force) { if (Is_array ($string)) { foreach ($string as $key = = $val) { $string [$key] = Daddslashes ($val, $force); } } else { $string = Addslashes ($strip? Stripslashes ($string): $string); } } return $string; } //Recursive stripslashes function dstripslashes ($string) { if (Is_array ($string)) { foreach ($string as $key =&G T $val) { $string [$key] = $this->dstripslashes ($val); } } else { $string = stripslashes ($string); } return $string; } /** * Security filter function * @param $string string to filter * @return string to return the processed string */ Function Safe_replace ($str ing) { $string = str_replace ('%20 ', ' ', $string); $string = Str_replace ('%27 ', ' ", $string); $string = Str_ Replace ('%2527 ', ', $string); $string = str_replace (' * ', ' ', $string); $string = str_replace (' "', '" ', $string); $string = Str_replace ("'", "', $string); $string = str_replace (' "', ' ', $string); $string = Str_replace ('; ', ' ', $string); $string = str_replace (' < ', ' < ', $string); $string = str_replace (' > ', ' > ', $string); $string = Str_replace ("{", "', $string); $string = Str_replace ('} ', ' ', $string); return $string; } /** * Use Htmlspecialchars to process strings or arrays * @param $obj string or array to be processed * @return Mixed returns a string or array that has been processed by Htmlspecialchars */ function New_htmlspecialchars ($string) { if (!is_array ($string)) Return Htmlspecialchars ($string); foreach ($string as $key = $val) $string [$key] = New_htmlspecialchars ($val); return $string; } Handling content that disables HTML but allows line wrapping function Trimmsg ($msg) { $msg = Trim (stripslashes ($msg)); $msg = NL2BR (Htmlspecialchars ($msg)); $msg = Str_replace ("", "" ", $msg); Return addslashes ($msg); }

http://www.bkjia.com/PHPjc/629615.html www.bkjia.com true http://www.bkjia.com/PHPjc/629615.html techarticle in PHP anti-injection generally will write a global file to filter the special string, this article summarizes a variety of PHP anti-injection function code, but also anti-SQL injection can be consulted ...

