This article to give you a summary of some commonly used in PHP anti-PHP injection, SQL injection of some methods introduced, in PHP provides HTMLSPECIALCHARS/ADDSLASHES/STRIPSLASHES/STRIP_TAGS/MYSQL_ Real_escape_string, such as several functions, there is a need to understand the friends can be consulted.
The following summarizes the special character processing for common forms:
Test string:
The code is as follows |
Copy Code |
$dbstr = ' D:test http://www.bKjia.c0m, Tian Yuan Blog '! = ' 1 ' OR ' 1 '
PHP OUTPUT ";?>";
|
Test code:
The code is as follows |
Copy Code |
Header ("content-type:text/html; Charset=utf-8 "); echo "------------------------------------------------------ RN "; echo $dbstr. " RN------------------------------------------------------ RN "; $str =fnaddslashes ($_post[' DD '); echo $str. " RN------------------------------------------------------ RN "; $str = Preg_replace ("/s (? =s)/", "\1", $str);//multiple contiguous spaces retain only one $str = Str_replace ("R", " ", $STR); $str = Str_replace ("n", " ", $STR); $str = Preg_replace ("/( ) +)/I "," ", $str);//Multiple consecutive The label retains only one $str =stripslashes ($STR); echo strip_tags ($STR). " RN------------------------------------------------------ RN "; echo Htmlspecialchars ($STR). " RN------------------------------------------------------ RN "; echo htmlentities ($STR). " RN------------------------------------------------------ RN "; echo mysql_escape_string ($STR). " RN------------------------------------------------------ RN "; |
String contains: Backslash path, single double quotes, HTML tags, links, non-blocking HTML tags, database syntax fault tolerance, JS execution judgment, PHP execution judgment, multiple consecutive carriage return line breaks and spaces. Some of these concepts have an inclusive relationship
Second, form submission data processing
1, forced to join the backslash
Because some hosts turn on the Magic reference GET_MAGIC_QUOTES_GPC by default, some may be turned off, so it is best to force a backslash on the program so that it can be handled uniformly with single quotes, double quotes, and backslashes.
The code is as follows |
Copy Code |
function Fnaddslashes ($data) { if (!GET_MAGIC_QUOTES_GPC ())//only adds escape to Post/get/cookie data. Return Is_array ($data)? Array_map (' Addslashes ', $data): Addslashes ($data); Else return $data; } |
2. Handling of special characters
Here are a few common string processing, depending on the situation. Since the submission of the form data has been escaped once, it is necessary to consider the effect of addslashes on the related characters if it is necessary to replace or filter the content, and to consider the addition of backslashes when replacing or finding. Other character substitutions are not affected, such as RN substitution.
A, multiple consecutive spaces retain only one
The code is as follows |
Copy Code |
$data = Preg_replace ("/s (? =s)/", "\1", $data);//multiple contiguous spaces retain only one |
B, carriage return line replacement
The code is as follows |
Copy Code |
$data = Str_replace ("R", " ", $data); $data = Str_replace ("n", " ", $data); |
Default in HTML
No plugging, in XHTML.
There is a blockage, recommended to use
, more differences:
C, multiple consecutive
Keep Only one
The code is as follows |
Copy Code |
$data = Preg_replace ("/( ) +)/I "," ", $data);//Multiple consecutive The label retains only one
|
D. Filter all HTML tags
This approach is all about filtering potentially dangerous tags, including HTML, links, non-blocking HTML tags, JS, PHP.
Using function Strip_tags ($data)
The function will filter all the HTML tags (including links) and PHP tags, js code, etc., where the link will keep the original link is only the removal of markup and href part of the content, PHP tags and JS tags will be the overall removal, including intermediate content, such as:
E, do not filter tags, just make them html
The method is to treat the original submission as normal text.
Using the function Htmlspecialchars ($data), the function executes all of the submitted data in plain text, such as:
Use the Htmlentities function to perform the results (garbled in Chinese):
Third, write to the database
Since using Addslashes ($DATA) can be written directly to the database for advanced trusted users, addslashes cannot intercept single quotes that use 0xbf27 instead, so it is best to use Mysql_real_escape_ The string or mysql_escape_string is escaped, but the backslash must be stripped before escaping (assuming Addslashes is turned on by default).
The code is as follows |
Copy Code |
function Fnescapestr ($data) { if (GET_MAGIC_QUOTES_GPC ()) { $data = Stripslashes ($value); } $data = "'". Mysql_escape_string ($value). "'"; return $data; } $data =fnescapestr ($data); |
PHP Universal Anti-inject security code
The code is as follows |
Copy Code |
Description Determine if the passed variable contains illegal characters such as $_post, $_get Function: Anti-injection **************************/ Illegal characters to filter on $ArrFiltrate =array ("'", ";", "union"); The URL to jump after the error, without filling the default previous page $STRGOURL = ""; Whether the values in the array exist function Funstringexist ($StrFiltrate, $ArrFiltrate) { foreach ($ArrFiltrate as $key = = $value) { if (eregi ($value, $StrFiltrate)) { return true; } } return false; } Merging $_post and $_get if (function_exists (Array_merge)) { $ArrPostAndGet =array_merge ($HTTP _post_vars, $HTTP _get_vars); }else{ foreach ($HTTP _post_vars as $key = + $value) { $ArrPostAndGet []= $value; } foreach ($HTTP _get_vars as $key = + $value) { $ArrPostAndGet []= $value; } } Validation begins foreach ($ArrPostAndGet as $key = = $value) { if (Funstringexist ($value, $ArrFiltrate)) { echo "Alert (/" NEEAO hint, illegal character/");"; if (empty ($STRGOURL)) { echo "History.go (-1);"; }else{ echo "window.location=/" ". $StrGoUrl." /”;”; } Exit } } ?>
|
/*************************
Save As Checkpostandget.php
Then add an include ("checkpostandget.php") to each PHP file;
http://www.bkjia.com/PHPjc/629625.html www.bkjia.com true http://www.bkjia.com/PHPjc/629625.html techarticle This article to give you a summary of some commonly used in PHP anti-PHP injection, SQL injection of some methods introduced, in PHP provides htmlspecialchars/addslashes/stripslashes/strip_tags/mysql _re ...