PHP filter Special characters SQL anti-injection code

Method One Filter ', ', SQL name Addslashes (); Method Two, remove all HTML tags Strip_tags (); Method Three filtering may produce code function Php_sava ($STR) { $farr = Array ( "/s+/", "/< (/?) (script|i?frame|style|html|body|title|link|meta|?|%) ([^>]*?) >/isu ", "/(<[^>]*) on[a-za-z]+s*= ([^>]*>)/isu", ); $tarr = Array ( " ", "<>",//If you want to clear unsafe labels directly, you can leave this blank "", ); $str = Preg_replace ($farr, $tarr, $STR); return $str; } PHP SQL anti-injection code Class Sqlin { Dowith_sql ($value) function Dowith_sql ($STR) { $str = Str_replace ("and", "", $str); $str = Str_replace ("Execute", "", $str); $str = Str_replace ("Update", "", $str); $str = Str_replace ("Count", "", $str); $str = Str_replace ("Chr", "", $str); $str = Str_replace ("Mid", "", $str); $str = Str_replace ("Master", "", $str); $str = Str_replace ("Truncate", "", $str); $str = Str_replace ("char", "", $str); $str = Str_replace ("Declare", "", $str); $str = Str_replace ("Select", "", $str); $str = Str_replace ("Create", "", $str); $str = str_replace ("delete", "", $str); $str = Str_replace ("Insert", "", $str); $str = Str_replace ("'", "" ", $str); $str = Str_replace ("" "," ", $str); $str = Str_replace ("", "" ", $str); $str = Str_replace ("or", "", $str); $str = str_replace ("=", "", $str); $str = Str_replace ("%20", "", $str); Echo $str; return $str; } Aticle () anti-SQL injection function//php Tutorial function Sqlin () { foreach ($_get as $key = $value) { $_get[$key]= $this->dowith_sql ($value); } foreach ($_post as $key = $value) { $_post[$key]= $this->dowith_sql ($value); } } } $dbsql =new Sqlin (); ?> Copy Code How to use: Copy the above code to create a new sqlin.php file, and then include the page with Get or post data received Principle Analysis: Replace all SQL keywords with empty This code can not be used in the message book, in order to use in the message book please replace the ... $str = Str_replace ("and", "", $str); to $str = Str_replace ("%20", "", $STR); The code is: $str = Str_replace ("and", "and", $STR); $str = Str_replace ("Execute", "execute", $STR); $str = Str_replace ("Update", "Update", $STR); $str = Str_replace ("Count", "Count", $STR); $str = Str_replace ("Chr", "CHR", $STR); $str = Str_replace ("Mid", "mid", $str); $str = Str_replace ("Master", "Master", $STR); $str = Str_replace ("truncate", "truncate", $STR); $str = Str_replace ("char", "char", $STR); $str = Str_replace ("Declare", "declare", $STR); $str = Str_replace ("Select", "select", $str); $str = Str_replace ("Create", "create", $STR); $str = str_replace ("delete", "delete", $str); $str = Str_replace ("Insert", "Insert", $STR); $str = Str_replace ("'", "'", $str); $str = Str_replace ("" "," "", $str); ?> Copy Code -------------------------------------------------------addslashes--using a backslash to reference a string String addslashes (String str) Returns a string that is preceded by a backslash in order for the database query statement to be preceded by some characters. These characters are single quotes ('), double quotation marks ("), backslashes (\), and NUL (the NULL character). An example of using addslashes () is when you want to enter data into the database. For example, the name O ' Reilly is inserted into the database, which needs to be escaped. Most databases use \ as escape character: O\ ' Reilly. This allows the data to be placed in the database without inserting additional \. When PHP instruction Magic_quotes_sybase is set to ON, it means that the insert ' will be used ' to escape. By default, PHP instruction MAGIC_QUOTES_GPC is on, and it is primarily for all GET, POST, and COOKIE data to run automatically addslashes (). Do not use Addslashes () for strings that have been MAGIC_QUOTES_GPC escaped, because this results in double-layer escaping. You can use the function GET_MAGIC_QUOTES_GPC () to detect this situation. GET_MAGIC_QUOTES_GPC () This function gets the variable MAGIC_QUOTES_GPC (GPC, Get/post/cookie) value of the PHP environment configuration. Returns 0 to turn off this function; return 1 indicates that this function is turned on. When MAGIC_QUOTES_GPC is turned on, all the ' (single quotes), ' (double quotes), \ (backslash) and null characters are automatically converted to the overflow character that contains the backslash. Addslashes and Stripslashes are the characters in PHP that operate on the database. At first glance it seems difficult to remember, but as long as the analysis, add is increased, strip is ignored. Slash is a slash, Slash is the plural of the slash. Then addslashes is to increase the meaning of the slash, because some special characters are written to the database after the problem, such as "', so add \ to the special symbol escape, tell the database those special symbols are strings, Similarly stripslashes is to subtract a slash when extracting a string from a database. Htmlspecialchars some special characters into the HTML encoding, commonly used in the occasion may be to deal with the message of the customer message version. These special characters are limited to the functions of the following:& & <, <>, >htmlentities and Htmlspecialchars. However, Htmlentities is not spared all the HTML-defined entity, including various special characters and Chinese, so that the result is that the Chinese character part becomes a bunch of garbled. Htmlspecialchars_decode is the reverse process of htmlspecialchars, which converts HTML encoding into characters. PHP Filter Special characters utility function php form Submit special character filter method HTML special character filter PHP class URL link special character escape method php special character escape detailed PHP filter parameters special characters anti-injection PHP Methods for filtering illegal and special strings PHP special character handling function example

