recently DEDECMS reported vulnerabilities, here to share the filter function of PHP, Daniel floated over bar, to the small black wide to learn exchange with
Function code: Code as follows://php bulk filter Post,get sensitive data if (GET_MAGIC_QUOTES_GPC ()) { $_get = Stripslashes_array ($_get); &n Bsp $_post = Stripslashes_array ($_post); } function Stripslashes_array (& $array) { while ($key, $ var) = each ($array)) { if ($key!= ' argc ' && $key!= ' argv ' && (Strtoupper ($key)!= $key | | '. Intval ($key) = = "$key") { if (is_string ($var)) { $array [$key] = stripslashes ($var); } if (is_a Rray ($var)) { $array [$key] = Stripslashes_array ($var); } } } return $array; } / /filter function HTMLEncode ($STR) { if (empty ($STR)) return; if ($str = "") return $str; $str =trim ($ STR); $str =str_replace ("&", "&", $str); $str =str_replace (">", ">", $str); $str =str_ Replace ("<", "<", $str); $str =str_replace (CHR), "", $str); $str =str_replace (Chr (9), "", $str); $STR =str_replace (Chr (9), "", $str); $str =str_replaCE (CHR), "&", $str); $str =str_replace (Chr (), "'", $str); $str =str_replace (CHR), , $STR ); $str =str_replace ("'", "" ", $str); $str =str_replace (" Select "," select ", $str); $str =str_replace ( "Script", "script", $str); $str =str_replace ("script", "script", $str); $str =str_replace ("Join", "join", $ STR); $str =str_replace ("union", "union", $str); $str =str_replace ("where", "where", $str); $str =str_ Replace ("Insert", "Insert", $str); $str =str_replace ("delete", "delete", $str); $str =str_replace ("Update" , "Update", $STR); $str =str_replace ("like", "like", $str); $str =str_replace ("Drop", "drop", $STR); $ Str=str_replace ("Create", "create", $str); $str =str_replace ("Modify", "Modify", $str); $str =str_replace ( "Rename", "Rename", $str); $str =str_replace ("Alter", "Alter", $STR); $str =str_replace ("Cast", "CAS", $STR) ; return $str; } /decoder function HtmlDecode ($STR) { if (empty ($STR)) return; if ($str = = "") return $str; $str =str_replace ("Select", "select", $str); $str =str_replace ("Join", " Join ", $STR); $str =str_replace (" union "," union ", $str); $str =str_replace (" where "," where ", $str); $ Str=str_replace ("Insert", "Insert", $str); $str =str_replace ("delete", "delete", $str); $str =str_replace ( "Update", "Update", $STR); $str =str_replace ("like", "like", $str); $str =str_replace ("Drop", "drop", $str); $STR =str_replace ("Create", "create", $str); $str =str_replace ("Modify", "Modify", $str); $str =str_ Replace ("rename", "Rename", $str); $str =str_replace ("Alter", "Alter", $STR); $str =str_replace ("cas", " Cast ", $str); $str =str_replace (" & "," & ", $str); $str =str_replace (" > "," > ", $str); $str =str_replace ("<", "<", $str); $str =str_replace ("", Chr (), $str); $str =str_replace ("", Chr (9), $STR ); $str =str_replace ("", Chr (9), $str); $str =str_replace ("&", Chr (), $str); $str =str_replace ("'", Chr (), $str); $str =str_replace (" ", Chr (), $str); $str =str_replace ("" "," ", $str) ; return $str; } /function: String_filter ($string, $match _type=1) //function: Filter illegal content //parameter: //$s Tring need to check the string //$match _type match type, 1 for exact match, 2 for fuzzy match, default for 1 // //return: Illegal content return true, no illegal content return false // Other: illegal keyword list saved in txt file, divided into common illegal keywords and serious illegal keywords two list //author:heiyeluren //Time:2006-1-18 // //============ ========================================================== function Lib_lawless_string_filter ($string, $ match_type=1) { //String null directly returns illegal $string = Trim ($string); if (empty ($string)) { return false; } //Get an important list of keywords and a list of common keywords $common _file = "Common_list.txt"; Universal Filter Keyword list $signify _file = "Signify_list.txt"; Important Filter Keywords list //If no list file exists direct return false, otherwise read two file list to two array if (!file_exists ($common _file) | |!file_exists ($ signify_file)) { return false; }&nbsP $common _list = file ($common _file); $signify _list = file ($signify _file); //Exact match if ($match _type = 1) & nbsp { $is _lawless = Exact_match ($string, $common _list); } //Fuzzy matching if ($match _type = = 2) { $ is_lawless = Blur_match ($string, $common _list, $signify _list); } //Determine whether there is data in the array of retrieved results, and if so, prove to be illegal if (is_ Array ($is _lawless) &&!empty ($is _lawless)) { return true; } else { return false;& nbsp } } //--------------------- //exact match for filtration service //--------------------- function Exact_match ( $string, $common _list) { $string = Trim ($string); $string = Lib_replace_end_tag ($string); // Retrieves the generic filter keyword list foreach ($common _list as $block) { $block = Trim ($block); if (Preg_match ("/^ $string $ /i ", $block)) { $blist [] = $block; } } //Judge There is no filtered content in the array if (!empty ($blist)) {&NB Sp Return Array_unique ($blist); &nBsp } return false; } //---------------------- //fuzzy matching, for filtering services //---------------------- function Blur_match ($string, $common _list, $signify _list) { $string = Trim ($string); $s _len = strlen ($ String); $string = Lib_replace_end_tag ($string); //Retrieving Generic filter keywords list foreach ($common _list as $block) { $block = Trim ($block); if (Preg_match ("/^ $string $/i", $block)) { $blist [] = $block;   ; } } //Retrieving Critical filter keywords list foreach ($signify _list as $block) { $block = Trim ($block); if ($s _le N>=strlen ($block) && preg_match ("/$block/I", $string)) { $blist [] = $block; } } //Judge if there is no filtered content in the array if (!empty ($blist)) { return Array_unique ($blist); } return false; } //-------------------------- //replace HTML tail tag, for filter services //-------------------------- function Lib_replace_end_tag ($str) { if (empty($STR)) return false; $str = Htmlspecialchars ($str); $str = Str_replace ('/', "", $str); $str = Str_replace ("", "", $str); $str = Str_replace (">", "", $str); $str = Str_replace ("<", "", $str); $str = Str_replac E ("", "", $str); $str = Str_replace ("", "", $str); $str =str_replace ("Select", "select", $str); $str =str _replace ("Join", "join", $str); $str =str_replace ("union", "union", $str); $str =str_replace ("where", " where ", $str); $str =str_replace (" Insert "," Insert ", $str); $str =str_replace (" delete "," delete ", $str); $STR =str_replace ("Update", "Update", $STR); $str =str_replace ("like", "like", $str); $str =str_ Replace ("Drop", "drop", $str); $str =str_replace ("Create", "create", $str); $str =str_replace ("Modify", " Modify ", $str); $str =str_replace (" rename "," Rename ", $str); $str =str_replace (" Alter "," Alter ", $STR); $STR =str_replace ("cas", "cast", $str); $str =str_replace ("&", "&", $stR); $str =str_replace (">", ">", $str); $str =str_replace ("<", "<", $str); $str =str_ Replace ("", Chr (), $str); $str =str_replace ("", Chr (9), $str); $str =str_replace ("", Chr (9), $STR); $ Str=str_replace ("&", Chr, $str); $str =str_replace ("'", Chr (), $str); $str =str_replace (" " , Chr (), $str); $str =str_replace ("" "," ", $str); $str =str_replace (" CSS "," ' ", $str); $str =str_ Replace ("CSS", "'", $str); return $str; //html tag, which can be used as an extended filter /* $tags = Array ("/html", "/head", "/ Body ","/div ","/span ","/doctype ","/title ","/link ","/meta ","/style ","/P ","/h1, ","/h2, ","/h3, ","/h4, "", ""/h5, "", "" H6 ","/strong ","/em ","/abbr ","/acronym ","/address ","/bdo ","/blockquote ","/cite "," Q ","/code ","/ins ","/del "," D FN ","/KBD ","/pre ","/samp ","/var ","/br ","/A ","/img ","/area ","/map ","/object ","/param ","/ul ","/ol ","/li ","/DL " ","/dt ","/dd ","/table ","/tr ","/td ","/th ","/tbody ","/thead "," tFoot ","/col ","/colgroup ","/caption ","/form ","/input ","/textarea ","/select ","/option ","/optgroup ","/button "," l Abel ","/fieldset ","/legend ","/script ","/noscript ","/b "," I ","/tt ","/sub ","/sup ","/big ","/small ","/hr "); */} Code: Reference is directly like this: code is as follows: $xxx = htmlspecialchars ($_post[' xxx ')); or code as follows: $xxx = htmlspecialchars ($_get[' xxx '));