form submission or URL get value in the Web site we may encounter some security issues, below I summarize some commonly used to filter some dangerous special characters of the solution, in general, for the characters passed in, PHP can be processed with the Addslashes function once (to Get_magic_quotes_ GPC () is a fake before processing, otherwise it will be repeated escape! ) to achieve a certain level of security requirements, such as the following code:
if (!GET_MAGIC_QUOTES_GPC ()) {
Add_slashes ($_get);
Add_slashes ($_post);
Add_slashes ($_cookie);
}
function Add_slashes ($string) {
if (Is_array ($string)) {
foreach ($string as $key = = $value) {
$string [$key] = add_slashes ($value);
}
} else {
$string = Addslashes ($string);
}
return $string;
}
But it can be further re-encoded, decoded, code as follows:
Coding
function HTMLEncode ($STR) {
if (Emptyempty ($STR)) return;
if ($str = = "") return $str;
$str =trim ($STR);
$str =str_replace ("&", "&", $str);
$str =str_replace (">", ">", $str);
$str =str_replace ("<", "&lt;", $str);
$str =str_replace (CHR), "&nbsp;", $str);
$str =str_replace (Chr (9), "&nbsp;", $str);
$str =str_replace (CHR), "&", $str);
$str =str_replace (CHR), "& #39;", $STR);
$str =str_replace (CHR), "<br/>", $str);
$str =str_replace ("'", "'", $str);
$str =str_replace ("select", "sel& #101; CT", $str);
$str =str_replace ("Join", "jo& #105; n", $str);
$str =str_replace ("union", "un& #105; on", $STR);
$str =str_replace ("where", "wh& #101; Re", $STR);
$str =str_replace ("Insert", "ins& #101; RT", $STR);
$str =str_replace ("delete", "del& #101; TE", $str);
$str =str_replace ("Update", "up& #100; ate", $str);
$str =str_replace ("Like", "lik& #101;", $STR);
$str =str_replace ("Drop", "dro& #112;", $STR);
$str =str_replace ("Create", "cr& #101; ate", $str);
$str =str_replace ("Modify", "mod& #105; FY", $str);
$str =str_replace ("rename", "ren& #097; Me", $str);
$STR =str_replace ("Alter", "alt& #101; r", $str);
$str =str_replace ("Cast", "ca& #115;", $STR);
return $str;
}
This can be more assured that the data to the external processing, but from the database out, in the foreground display, you must re-decode, the code is as follows:
Decoding
function HtmlDecode ($STR) {
if (Emptyempty ($STR)) return;
if ($str = = "") return $str;
$str =str_replace ("sel& #101; CT", "select", $str);
$str =str_replace ("jo& #105; n", "join", $STR);
$str =str_replace ("un& #105; on", "union", $STR);
$str =str_replace ("wh& #101; Re", "where", $str);
$str =str_replace ("ins& #101; RT", "Insert", $STR);
$str =str_replace ("del& #101; TE", "delete", $str);
$str =str_replace ("up& #100; ate", "Update", $STR);
$str =str_replace ("lik& #101;", "like", $STR);
$str =str_replace ("dro& #112;", "Drop", $str);
$str =str_replace ("cr& #101; ate", "create", $STR);
$str =str_replace ("mod& #105; FY", "Modify", $str);
$str =str_replace ("ren& #097; Me", "rename", $str);
$str =str_replace ("alt& #101; R", "Alter", $STR);
$str =str_replace ("ca& #115;", "cast", $STR);
$str =str_replace ("&amp;", "&", $str);
$str =str_replace ("&gt;", ">", $str);
$str =str_replace ("&lt;", "<", $str);
$str =str_replace ("&nbsp;", Chr (+), $str);
$str =str_replace ("&nbsp;", Chr (9), $STR);
$str =str_replace ("&", CHR, $STR);
$str =str_replace ("& #39;", CHR, $STR);
$str =str_replace ("<br/>", CHR, $STR);
$str =str_replace ("'" "," ' ", $str); Open Source Code phpfensi.com
return $str;
}
Although more than one step coding, decoding the process, but security aspects, will go further, how to do, their own choice bar.
Attach some code as follows:
function Safe_replace ($string) {
$string = Str_replace (', ', ', $string);
$string = Str_replace (' ', ' ', $string);
$string = Str_replace (' ', ' ', $string);
$string = Str_replace (' * ', ' ', $string);
$string = Str_replace (' "', '" ', $string);
$string = Str_replace ("'", "', $string);
$string = Str_replace (' "', ' ', $string);
$string = Str_replace ('; ', ' ', $string);
$string = Str_replace (' < ', ' < ', $string);
$string = Str_replace (' > ', ' > ', $string);
$string = Str_replace ("{", "', $string);
$string = Str_replace ('} ', ' ', $string);
return $string;
}
The more comprehensive code is as follows:
Processing the submitted data
function HtmlDecode ($STR) {
if (Emptyempty ($STR) | | "" = = $str) {
Return "";
}
$str = Strip_tags ($STR);
$str = Htmlspecialchars ($STR);
$str = NL2BR ($STR);
$str = Str_replace ("?", "" ", $str);
$str = Str_replace ("*", "", $str);
$str = Str_replace ("!", "" ", $str);
$str = Str_replace ("~", "", $str);
$str = Str_replace ("$", "", $str);
$str = str_replace ("%", "", $str);
$str = Str_replace ("^", "", $str);
$str = Str_replace ("^", "", $str);
$str = Str_replace ("Select", "", $str);
$str = Str_replace ("Join", "", $str);
$str = Str_replace ("union", "", $str);
$str = Str_replace ("where", "", $str);
$str = Str_replace ("Insert", "", $str);
$str = str_replace ("delete", "", $str);
$str = Str_replace ("Update", "", $str);
$str = Str_replace ("Like", "", $str);
$str = Str_replace ("Drop", "", $str);
$str = Str_replace ("Create", "", $str);
$str = Str_replace ("Modify", "", $str);
$str = str_replace ("rename", "", $str);
$str = Str_replace ("Alter", "", $str);
$str = Str_replace ("Cast", "", $str);
$farr = Array ("//s+/",//filter Extra blanks
"/< (//?) (img|script|i?frame|style|html|body|title|link|meta|/?| /%) ([^>]*?) >/isu ",//filter <script prevent the introduction of malicious content or malicious code, if you do not need to insert flash, etc., you can also add <object filter
"/(<[^>]*) on[a-za-z]+/s*= ([^>]*>)/isu")//filter on the JavaScript on event
;
$tarr = Array ("", "",//If you want to clear unsafe labels directly, you can leave this blank
"" );
return $str;
}