In general, for the character passed in, PHP tutorial can be processed with the Addslashes function once (to GET_MAGIC_QUOTES_GPC () for the fake before processing, otherwise it will be escaped again! ), so that a certain level of safety requirements can be achieved
Like this.
Code to copy code as follows
if (!GET_MAGIC_QUOTES_GPC ()) {
Add_slashes ($_get);
Add_slashes ($_post);
Add_slashes ($_cookie);
}
function Add_slashes ($string) {
if (Is_array ($string)) {
foreach ($string as $key = = $value) {
$string [$key] = add_slashes ($value);
}
} else {
$string = Addslashes ($string);
}
return $string;
}
But it can be further re-encoded, decoded, as follows:
Code to copy code as follows
Coding
function HTMLEncode ($STR) {
if (empty ($STR)) return;
if ($str = = "") return $str;
$str =trim ($STR);
$str =str_replace ("&", "&", $str);
$str =str_replace (">", ">", $str);
$str =str_replace ("<", "&lt;", $str);
$str =str_replace (CHR), "&nbsp;", $str);
$str =str_replace (Chr (9), "&nbsp;", $str);
$str =str_replace (CHR), "&", $str);
$str =str_replace (CHR), "& #39;", $STR);
$str =str_replace (CHR), "<br/>", $str);
$str =str_replace ("'", "'", $str);
$str =str_replace ("select", "sel& #101; CT", $str);
$str =str_replace ("Join", "jo& #105; n", $str);
$str =str_replace ("union", "un& #105; on", $STR);
$str =str_replace ("where", "wh& #101; Re", $STR);
$str =str_replace ("Insert", "ins& #101; RT", $STR);
$str =str_replace ("delete", "del& #101; TE", $str);
$str =str_replace ("Update", "up& #100; ate", $str);
$str =str_replace ("Like", "lik& #101;", $STR);
$str =str_replace ("Drop", "dro& #112;", $STR);
$str =str_replace ("Create", "cr& #101; ate", $str);
$str =str_replace ("Modify", "mod& #105; FY", $str);
$str =str_replace ("rename", "ren& #097; Me", $str);
$STR =str_replace ("Alter", "alt& #101; r", $str);
$str =str_replace ("Cast", "ca& #115;", $STR);
return $str;
}
This can be more secure to the external data processing, but from the database out, in the foreground display, you must re-decode:
Code to copy code as follows
Decoding
function HtmlDecode ($STR) {
if (empty ($STR)) return;
if ($str = = "") return $str;
$str =str_replace ("sel& #101; CT", "select", $str);
$str =str_replace ("jo& #105; n", "join", $STR);
$str =str_replace ("un& #105; on", "union", $STR);
$str =str_replace ("wh& #101; Re", "where", $str);
$str =str_replace ("ins& #101; RT", "Insert", $STR);
$str =str_replace ("del& #101; TE", "delete", $str);
$str =str_replace ("up& #100; ate", "Update", $STR);
$str =str_replace ("lik& #101;", "like", $STR);
$str =str_replace ("dro& #112;", "Drop", $str);
$str =str_replace ("cr& #101; ate", "create", $STR);
$str =str_replace (www.111cn.net) "mod& #105; FY", "Modify", $str);
$str =str_replace ("ren& #097; Me", "rename", $str);
$str =str_replace ("alt& #101; R", "Alter", $STR);
$str =str_replace ("ca& #115;", "cast", $STR);
$str =str_replace ("&amp;", "&", $str);
$str =str_replace ("&gt;", ">", $str);
$str =str_replace ("&lt;", "<", $str);
$str =str_replace ("&nbsp;", Chr (+), $str);
$str =str_replace ("&nbsp;", Chr (9), $STR);
$str =str_replace ("&", CHR, $STR);
$str =str_replace ("& #39;", CHR, $STR);
$str =str_replace ("<br/>", CHR, $STR);
$str =str_replace ("'" "," ' ", $str);
return $str;
}
Although more than one step coding, decoding the process, but security aspects, will go further, how to do, their own choice bar.
Attach some more
Code to copy code as follows
function Safe_replace ($string) {
$string = Str_replace (', ', ', $string);
$string = Str_replace (' ', ' ', $string);
$string = Str_replace (' ', ' ', $string);
$string = Str_replace (' * ', ' ', $string);
$string = Str_replace (' "', '" ', $string);
$string = Str_replace ("'", "', $string);
$string = Str_replace (' "', ' ', $string);
$string = Str_replace ('; ', ' ', $string);
$string = Str_replace (' < ', ' < ', $string);
$string = Str_replace (' > ', ' > ', $string);
$string = Str_replace ("{", "', $string);
$string = Str_replace ('} ', ' ', $string);
return $string;
}
The more comprehensive
Code to copy code as follows
Processing the submitted data
function HtmlDecode ($STR) {
if (Empty ($STR) | | "" = = $str) {
Return "";
}
$str = Strip_tags ($STR);
$str = Htmlspecialchars ($STR);
$str = NL2BR ($STR);
$str = Str_replace ("?", "" ", $str);
$str = Str_replace ("*", "", $str);
$str = Str_replace ("!", "" ", $str);
$str = Str_replace ("~", "", $str);
$str = Str_replace ("$", "", $str);
$str = str_replace ("%", "", $str);
$str = Str_replace ("^", "", $str);
$str = Str_replace ("^", "", $str);
$str = Str_replace ("Select", "", $str);
$str = Str_replace ("Join", "", $str);
$str = Str_replace ("union", "", $str);
$str = Str_replace ("where", "", $str);
$str = Str_replace ("Insert", "", $str);
$str = str_replace ("delete", "", $str);
$str = Str_replace ("Update", "", $str);
$str = Str_replace ("Like", "", $str);
$str = Str_replace ("Drop", "", $str);
$str = Str_replace ("Create", "", $str);
$str = Str_replace ("Modify", "", $str);
$str = str_replace ("rename", "", $str);
$str = Str_replace ("Alter", "", $str);
$str = Str_replace ("Cast", "", $str);
$farr = Array ("//s+/",//filter Extra blanks
"/< (//?) (img|script|i?frame|style|html|body|title|link|meta|/?| /%) ([^>]*?) >/isu ",//filter <script prevent the introduction of malicious content or malicious code, if you do not need to insert flash, etc., you can also add <object filter
"/(<[^>]*) on[a-za-z]+/s*= ([^>]*>)/isu")//filter on the JavaScript on event
;
$tarr = Array ("", "",//If you want to clear unsafe labels directly, you can leave this blank
"" );
return $str;
}
From:http://www.111cn.net/phper/phpanqn/55876.htm
PHP Filter Summary of special dangerous characters