<? Php
/*************************
Note:
Determines whether the passed variable contains invalid characters.
Such as $ _ POST and $ _ GET
Function:
Anti-Injection
Note: Please complete the illegal characters to be filtered.
**************************/
// Invalid characters to be filtered
$ ArrFiltrate = array ("", ";", "union ");
// The url to be redirected after an error occurs. If this parameter is left blank, the previous page is displayed by default.
$ StrGoUrl = "#";
// Whether the value in the array exists
Function FunStringExist ($ StrFiltrate, $ ArrFiltrate ){
Foreach ($ ArrFiltrate as $ key => $ value ){
If (eregi ($ value, $ StrFiltrate )){
Return true;
}
}
Return false;
}
// Merge $ _ POST and $ _ GET
If (function_exists (array_merge )){
$ ArrPostAndGet = array_merge ($ _ POST, $ _ GET );
} Else {
Foreach ($ _ POST as $ key => $ value ){
$ ArrPostAndGet [] = $ value;
}
Foreach ($ _ GET as $ key => $ value ){
$ ArrPostAndGet [] = $ value;
}
}
// Verification starts
Foreach ($ ArrPostAndGet as $ key => $ value ){
If (FunStringExist ($ value, $ ArrFiltrate )){
Echo "<script language =" javascript "> alert (" invalid character "); </script> ";
If (empty ($ StrGoUrl )){
Echo "<script language =" javascript "> history. go (-1); </script> ";
} Else {
Echo "<script language =" javascript "> window. location =" ". $ StrGoUrl." "; </script> ";
}
Exit;
}
}
/**
Note: differences between $ HTTP_POST_VARS and $ _ POST
$ HTTP_GET_VARS and $ _ GET $ HTTP_POST_VARS and $ _ POST
$ HTTP_POST_VARS can be used in versions 3.0 and earlier. $ HTTP_POST_VARS is not an automatic global variable.
$ _ POST can only be used in version 4.0 or later
To make your code more widely used, write $ HTTP_POST_VARS
Http post variable: $ _ POST
Note: PHP 4.1.0 and later versions are used. In earlier versions, $ HTTP_POST_VARS is used.
An array composed of variables passed through the http post method. Is an automatic global variable.
This is a "superglobal", or it can be described as an automatic global variable. This only means that it is valid in all scripts. You do not need to use global $ _ POST; to access a function or method, just like using $ HTTP_POST_VARS.
$ HTTP_POST_VARS contains the same information, but it is not an automatic global variable. (Note: HTTP_POST_VARS and $ _ POST are different variables. PHP processes them differently .)
**/
PHP anti-injection method 2 (the following code has not been tested, Please modify as needed !) :
The following is a copy of the Code:
$ _ POST = SQL _injection ($ _ POST );
$ _ GET = SQL _injection ($ _ GET );
Function SQL _injection ($ content)
{
If (! Get_magic_quotes_gpc ()){
If (is_array ($ content )){
Foreach ($ content as $ key => $ value ){
$ Content [$ key] = addslashes ($ value );
}
} Else {
Addslashes ($ content );
}
}
Return $ content;
}
For the system, you can use the following code and copy it. If there is a problem or a change to the system, I will add a description:
/*
Function Name: inject_check ()
Function function: checks whether submitted values contain SQL Injection characters to prevent injection and protect server security.
Parameter: $ SQL _str: Submitted variable
Return Value: Return detection result, true or false
*/
Function inject_check ($ SQL _str ){
Return eregi (select | insert | update | delete |/* | ../|./| union | into | load_file | outfile, $ SQL _str); // Filter
}
/*
Function Name: verify_id ()
Function: checks whether the submitted ID class value is valid.
Parameter: $ id: Submitted ID value
Return Value: return the ID after processing.
*/
Function verify_id ($ id = null ){
If (! $ Id) {exit (No parameter submitted !); } // Determines if it is null
Elseif (inject_check ($ id) {exit (the submitted parameter is invalid !); } // Injection judgment
Elseif (! Is_numeric ($ id) {exit (the submitted parameter is invalid !); } // Digital judgment
$ Id = intval ($ id); // integer
Return $ id;
}
/*
Function Name: str_check ()
Function: Filter submitted strings.
Parameter: $ var: string to be processed
Return Value: returns the filtered string.
*/
Function str_check ($ str ){
If (! Get_magic_quotes_gpc () {// determines whether magic_quotes_gpc is enabled
$ Str = addslashes ($ str); // Filter
}
$ Str = str_replace ("_", "\ _", $ str); // filter _ out
$ Str = str_replace ("%", "\ %", $ str); // filter % Out
Return $ str;
}
/*
Function Name: post_check ()
Function: process submitted edits.
Parameter: $ post: content to be submitted
Return Value: $ post: The filtered content is returned.
*/
Function post_check ($ post ){
If (! Get_magic_quotes_gpc () {// determines whether magic_quotes_gpc is enabled.
$ Post = addslashes ($ post); // filter submitted data when magic_quotes_gpc is not enabled
}
$ Post = str_replace ("_", "\ _", $ post); // filter _ out
$ Post = str_replace ("%", "\ %", $ post); // filter % Out
$ Post = nl2br ($ post); // press enter to convert
$ Post = htmlspecialchars ($ post); // html tag Conversion
Return $ post;
}
?>