PHP uses str_replace to prevent injection

Source: Internet
Author: User
Tags printable characters
The str_replace () function is used to replace specified characters. you can use this function to filter sensitive characters.
The code is as follows:
/**
* Security filter functions
*
* @ Param $ string
* @ Return string
*/
Function safe_replace ($ string ){
$ String = str_replace ('% 20', '', $ string );
$ String = str_replace ('% 27', '', $ string );
$ String = str_replace ('% 100', '', $ string );
$ String = str_replace ('*', '', $ string );
$ String = str_replace ('"', '"', $ string );
$ String = str_replace ("'", '', $ string );
$ String = str_replace ('"','', $ string );
$ String = str_replace (';', '', $ string );
$ String = str_replace ('<', '<', $ string );
$ String = str_replace ('>', '>', $ string );
$ String = str_replace ("{", '', $ string );
$ String = str_replace ('}', '', $ string );
$ String = str_replace ('','', $ string );
Return $ string;
}
?>


/**
* Returns a string or array processed by addslashes.
* @ Param $ string the string or array to be processed
* @ Return mixed
*/
Function new_addslashes ($ string ){
If (! Is_array ($ string) return addslashes ($ string );
Foreach ($ string as $ key => $ val) $ string [$ key] = new_addslashes ($ val );
Return $ string;
}
?>


// Securely process the request string
/*
$ Safestep
0 is not processed,
1. Disable insecure HTML content (javascript, etc ),
2. completely disable HTML content and replace some insecure strings (for example, eval (, union, CONCAT (, --, and so on)
*/
Function StringSafe ($ str, $ safestep =-1 ){
$ Safestep = ($ safestep>-1 )? $ Safestep: 1;
If ($ safestep = 1 ){
$ Str = preg_replace ("# script: # I", "script:", $ str );
$ Str = preg_replace ("# <[/] {0, 1} (link | meta | ifr | fra | scr) [^>] *> # isU ",'', $ str );
$ Str = preg_replace ("# [] {1, }#", '', $ str );
Return $ str;
} Else if ($ safestep = 2 ){
$ Str = addslashes (htmlspecialchars (stripslashes ($ str )));
$ Str = preg_replace ("# eval # I", 'eval', $ str );
$ Str = preg_replace ("# union # I", 'join', $ str );
$ Str = preg_replace ("# concat # I", 'concat', $ str );
$ Str = preg_replace ("# -- #", '--', $ str );
$ Str = preg_replace ("# [] {1, }#", '', $ str );
Return $ str;
} Else {
Return $ str;
}
}
?>


/**
+ ----------------------------------------------------------
* Outputs secure html for filtering dangerous code
+ ----------------------------------------------------------
* @ Access public
+ ----------------------------------------------------------
* @ Param string $ string to be processed by text
* @ Param mixed $ the list of tags allowed by tags, such as table | td | th | td
+ ----------------------------------------------------------
* @ Return string
+ ----------------------------------------------------------
*/
Static public function safeHtml ($ text, $ tags = null)
{
$ Text = trim ($ text );
// Completely filter comments
$ Text = preg_replace ('/ /', '', $ Text );
// Completely filter dynamic code
$ Text = preg_replace ('/ /', '', $ Text );
// Completely filter js
$ Text = preg_replace ('/ /', '', $ Text );
$ Text = str_replace ('[', '[', $ text );
$ Text = str_replace (']', ']', $ text );
$ Text = str_replace ('|', '|', $ text );
// Filter line breaks
$ Text = preg_replace ('/? /', '', $ Text );
// Br
$ Text = preg_replace ('/ /I ',' [br] ', $ text );
$ Text = preg_replace ('/([br] s *) {10,}/I', '[br]', $ text );
// Filter dangerous attributes, such as: filter on event lang js
While (preg_match ('/(<[^> <] +) (lang | on | action | background | codebase | dynsrc | lowsrc) [^> <] +/I ', $ text, $ mat )){
$ Text = str_replace ($ mat [0], $ mat [1], $ text );
}
While (preg_match ('/(<[^> <] +) (window. | javascript: | js: | about: | file: | document. | vbs: | cookie) ([^> <] *)/I ', $ text, $ mat )){
$ Text = str_replace ($ mat [0], $ mat [1]. $ mat [3], $ text );
}
If (empty ($ allowTags) {$ allowTags = self: $ htmlTags ['allow'];}
// Allowed HTML tags
$ Text = preg_replace ('/<('. $ allowTags. ') ([^> <[] *)>/I', '[12]', $ text );
// Filter excess html
If (empty ($ banTag) {$ banTag = self ::$ htmlTags ['ban'];}
$ Text = preg_replace ('/ <] *>/I ', '', $ text );
// Filter valid html tags
While (preg_match ('/<([a-z] +) [^> <[] *> [^> <] * /I ', $ text, $ mat )){
$ Text = str_replace ($ mat [0], str_replace ('>', ']', str_replace ('<', '[', $ mat [0]), $ text );
}
// Convert quotation marks
While (preg_match ('/([^ [] * = s *) ("|') ([^ 2 = [] +) 2 ([^ [] *])/I ', $ text, $ mat )){
$ Text = str_replace ($ mat [0], $ mat [1]. '| '. $ mat [3]. '| '. $ mat [4], $ text );
}
// Empty property conversion
$ Text = str_replace (''', '|', $ text );
$ Text = str_replace ('"', '|', $ text );
// Filter single quotation marks that are incorrect
While (preg_match ('/[^ [] * ("|') [^ [] *]/I ', $ text, $ mat )){
$ Text = str_replace ($ mat [0], str_replace ($ mat [1], '', $ mat [0]), $ text );
}
// Convert all other invalid values <>
$ Text = str_replace ('<', '<', $ text );
$ Text = str_replace ('>', '>', $ text );
$ Text = str_replace ('"', '"', $ text );
// Reverse conversion
$ Text = str_replace ('[', '<', $ text );
$ Text = str_replace (']', '>', $ text );
$ Text = str_replace ('|', '"', $ text );
// Filter extra spaces
$ Text = str_replace ('','', $ text );
Return $ text;
}
?>


Function RemoveXSS ($ val ){
// Remove all non-printable characters. CR (0a) and LF (0b) and TAB (9) are allowed
// This prevents some character re-spacing such
// Note that you have to handle splits with, and later since they * are * allowed in some // inputs
$ Val = preg_replace ('/([x00-x08, x0b-x0c, x0e-x19])/', '', $ val );
// Straight replacements, the user shoshould never need these since they're normal characters
// This prevents like
$ Search = 'abcdefghijklmnopqrstuvwxy ';
$ Search. = 'abcdefghijklmnopqrstuvwxy ';
$ Search. = '2017! @ # $ % ^ &*()';
$ Search. = '~ '";:? +/= {} []-_ | '';
For ($ I = 0; $ I <strlen ($ search); $ I ++ ){
//;? Matches the;, which is optional
// 0 {0, 7} matches any padded zeros, which are optional and go up to 8 chars
// @ Search for the hex values
$ Val = preg_replace ('/(& # [xX] 0 {0, 8}'. dechex (ord ($ search [$ I]). ';?) /I ', $ search [$ I], $ val); // with;
// @ 0 {0, 7} matches '0' zero to seven times
$ Val = preg_replace ('/({0, 8}'. ord ($ search [$ I]). ';?) /', $ Search [$ I], $ val); // with;
}
// Now the only remaining whitespace attacks are, and
$ Ra1 = Array ('javascript ', 'vbscript', 'expression', 'applet', 'meta', 'xml', 'Blink ', 'link ', 'style', 'script', 'Embed ', 'object', 'iframe', 'frameset', 'ilayer', 'lay', 'bgsound ', 'title', 'base ');
$ Ra2 = Array ('onabport', 'onactivate', 'onafterprint ', 'onafterupdate', 'onbeforeactivate', 'onbeforecopy', 'onbeforecut', 'onbeforedeactivate ', onbeforeeditfocus, onbeforepaste, onbeforeprint, onbeforeunload, onbeforeupdate, onblur, onbounce, oncellchange, onchange, onclick ', oncontextmenu, oncontrolselect, oncopy, oncut, ondataavailable, ondatasetchanged, ondatasetcomplete, ondblclick, ondeactivate, ondrag ', 'ondragend', 'ondragenter', 'ondragleave ', 'ondragover', 'ondragstart', 'ondrop', 'onerrorupdat', 'onfilterchang', 'onfinish ', 'oncore', 'onfocusin', 'onfocusout ', 'onhelp', 'onkeylow', 'onkeypress', 'onkeyup', 'onlayoutcomplete', 'onload', 'onlosecapture ', onmousedown, onmouseenter, onmouseleave, onmousemove, onmouseout, onmouseover, onmouseup, onmousewheel, onmove, onmoveend ', 'onmovestart', 'onpaste ', 'onpropertychang', 'onreadystatechang', 'onreset', 'onresizeend', 'onresizestart', 'onrowenter', 'onrowexit ', 'onrowsdelete', 'onrowsinserted', 'onscroll ', 'onselect', 'onselectionchang', 'onselectstart', 'onstart', 'onstop', 'onsubmit ', 'onload ');
$ Ra = array_merge ($ ra1, $ ra2 );
$ Found = true; // keep replacing as long as the previous round replaced something
While ($ found = true ){
$ Val_before = $ val;
For ($ I = 0; $ I <sizeof ($ ra); $ I ++ ){
$ Pattern = '/';
For ($ j = 0; $ j <strlen ($ ra [$ I]); $ j ++ ){
If ($ j> 0 ){
$ Pattern. = '(';
$ Pattern. = '(& # [xX] 0 {0, 8} ([9ab]);)';
$ Pattern. = '| ';
$ Pattern. = '| ({0, 8} ([9 | 10 | 13]);)';
$ Pattern. = ')*';
}
$ Pattern. = $ ra [$ I] [$ j];
}
$ Pattern. = '/I ';
$ Replacement = substr ($ ra [$ I], 0, 2 ).' '. Substr ($ ra [$ I], 2); // add in <> to nerf the tag
$ Val = preg_replace ($ pattern, $ replacement, $ val); // filter out the hex tags
If ($ val_before ==$ val ){
// No replacements were made, so exit the loop
$ Found = false;
}
}
}
Return $ val;
}
?>

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.