Php general anti-injection class

Source: Internet
Author: User

<? Php
/*************************
Note:
Determines whether the passed variable contains invalid characters.
Such as $ _ POST and $ _ GET
Function:
Anti-Injection
Note: Please complete the illegal characters to be filtered.
**************************/

 


// Invalid characters to be filtered
$ ArrFiltrate = array ("", ";", "union ");
// The url to be redirected after an error occurs. If this parameter is left blank, the previous page is displayed by default.
$ StrGoUrl = "#";
// Whether the value in the array exists
Function FunStringExist ($ StrFiltrate, $ ArrFiltrate ){
Foreach ($ ArrFiltrate as $ key => $ value ){
If (eregi ($ value, $ StrFiltrate )){
Return true;
}
}
Return false;
}

 


// Merge $ _ POST and $ _ GET
If (function_exists (array_merge )){
$ ArrPostAndGet = array_merge ($ _ POST, $ _ GET );
} Else {
Foreach ($ _ POST as $ key => $ value ){
$ ArrPostAndGet [] = $ value;
}
Foreach ($ _ GET as $ key => $ value ){
$ ArrPostAndGet [] = $ value;
}
}

 


// Verification starts
Foreach ($ ArrPostAndGet as $ key => $ value ){
If (FunStringExist ($ value, $ ArrFiltrate )){
Echo "<script language =" javascript "> alert (" invalid character "); </script> ";
If (empty ($ StrGoUrl )){
Echo "<script language =" javascript "> history. go (-1); </script> ";
} Else {
Echo "<script language =" javascript "> window. location =" ". $ StrGoUrl." "; </script> ";
}
Exit;
}
}

 


/**
Note: differences between $ HTTP_POST_VARS and $ _ POST
$ HTTP_GET_VARS and $ _ GET $ HTTP_POST_VARS and $ _ POST

 


$ HTTP_POST_VARS can be used in versions 3.0 and earlier. $ HTTP_POST_VARS is not an automatic global variable.

 


$ _ POST can only be used in version 4.0 or later

 


To make your code more widely used, write $ HTTP_POST_VARS

 

 

 


Http post variable: $ _ POST
Note: PHP 4.1.0 and later versions are used. In earlier versions, $ HTTP_POST_VARS is used.

 


An array composed of variables passed through the http post method. Is an automatic global variable.

 


This is a "superglobal", or it can be described as an automatic global variable. This only means that it is valid in all scripts. You do not need to use global $ _ POST; to access a function or method, just like using $ HTTP_POST_VARS.

 


$ HTTP_POST_VARS contains the same information, but it is not an automatic global variable. (Note: HTTP_POST_VARS and $ _ POST are different variables. PHP processes them differently .)
**/

 

 

 

 

 


PHP anti-injection method 2 (the following code has not been tested, Please modify as needed !) :
The following is a copy of the Code:

 

 

 


$ _ POST = SQL _injection ($ _ POST );
$ _ GET = SQL _injection ($ _ GET );

 


Function SQL _injection ($ content)
{
If (! Get_magic_quotes_gpc ()){
If (is_array ($ content )){
Foreach ($ content as $ key => $ value ){
$ Content [$ key] = addslashes ($ value );
}
} Else {
Addslashes ($ content );
}
}
Return $ content;
}

 

 

 

 

For the system, you can use the following code and copy it. If there is a problem or a change to the system, I will add a description:

 


/*
Function Name: inject_check ()
Function function: checks whether submitted values contain SQL Injection characters to prevent injection and protect server security.
Parameter: $ SQL _str: Submitted variable
Return Value: Return detection result, true or false
*/
Function inject_check ($ SQL _str ){
Return eregi (select | insert | update | delete |/* | ../|./| union | into | load_file | outfile, $ SQL _str); // Filter
}

/*
Function Name: verify_id ()
Function: checks whether the submitted ID class value is valid.
Parameter: $ id: Submitted ID value
Return Value: return the ID after processing.
*/
Function verify_id ($ id = null ){
If (! $ Id) {exit (No parameter submitted !); } // Determines if it is null
Elseif (inject_check ($ id) {exit (the submitted parameter is invalid !); } // Injection judgment
Elseif (! Is_numeric ($ id) {exit (the submitted parameter is invalid !); } // Digital judgment
$ Id = intval ($ id); // integer

Return $ id;
}

/*
Function Name: str_check ()
Function: Filter submitted strings.
Parameter: $ var: string to be processed
Return Value: returns the filtered string.
*/
Function str_check ($ str ){
If (! Get_magic_quotes_gpc () {// determines whether magic_quotes_gpc is enabled
$ Str = addslashes ($ str); // Filter
}
$ Str = str_replace ("_", "\ _", $ str); // filter _ out
$ Str = str_replace ("%", "\ %", $ str); // filter % Out

Return $ str;
}

/*
Function Name: post_check ()
Function: process submitted edits.
Parameter: $ post: content to be submitted
Return Value: $ post: The filtered content is returned.
*/
Function post_check ($ post ){
If (! Get_magic_quotes_gpc () {// determines whether magic_quotes_gpc is enabled.
$ Post = addslashes ($ post); // filter submitted data when magic_quotes_gpc is not enabled
}
$ Post = str_replace ("_", "\ _", $ post); // filter _ out
$ Post = str_replace ("%", "\ %", $ post); // filter % Out
$ Post = nl2br ($ post); // press enter to convert
$ Post = htmlspecialchars ($ post); // html tag Conversion

Return $ post;
}
?>
 

 

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.