This article mainly introduces the simple and practical example of PHP anti-injection class, taking two simple anti-injection class as an example to introduce the principle and technique of PHP anti-injection, it is very practical value for the website security construction, the need of friends can refer to
This paper describes the simple and practical PHP anti-injection class. Share to everyone for your reference. Specific as follows:
PHP anti-injection note to filter the information is basically get,post, and then for SQL is our common query, insert and so on SQL command, I give you two simple examples, I hope these examples can give your site security.
The PHP anti-injection class code is as follows:
Copy CodeThe code is as follows: <?php
/**
* Parameter Processing class
* @author Jasonwei
*/
Class Params
{
Public $get = Array ();
Public $post = Array ();
function __construct ()
{
if (!emptyempty ($_get)) {
foreach ($_get as $key = = $val) {
if (Is_numeric ($val)) {
$this->get[$key] = $this->getint ($val);
} else {
$this->get[$key] = $this->getstr ($val);
}
}
}
if (!emptyempty ($_post)) {
foreach ($_post as $key = = $val) {
if (Is_numeric ($val)) {
$this->post[$key] = $this->getint ($val);
} else {
$this->post[$key] = $this->getstr ($val);
}
}
}
}
Public Function getInt ($number)
{
Return Intval ($number);
}
Public Function Getstr ($string)
{
if (!GET_MAGIC_QUOTES_GPC ()) {
$string = Addslashes ($string);
}
return $string;
}
Public Function Checkinject ($string)
{
Return eregi (' select|insert|update|delete|/*|*|. /|. /|union|into|load_file|outfile ', $string);
}
Public Function Verifyid ($id = null)
{
if (! $id | | $this->checkinject ($id) | |!is_numeric ($id)) {
$id = false;
} else {
$id = Intval ($id);
}
return $id;
}
}
?>
Example two, the code is as follows:
Copy CodeThe code is as follows: <?php
/*************************
Description
Determine if the passed variable contains illegal characters
such as $_post, $_get
Function:
Anti-injection
*************************/
Illegal characters to filter on
$ArrFiltrate =array ("'", "or", "and", "union", "where");
The URL to jump after the error, without filling the default previous page
$STRGOURL = "";
Whether the values in the array exist
function Funstringexist ($StrFiltrate, $ArrFiltrate) {
foreach ($ArrFiltrate as $key = = $value) {
if (eregi ($value, $StrFiltrate)) {
return true;
}
}
return false;
}
Merging $_post and $_get
if (function_exists (Array_merge)) {
$ArrPostAndGet =array_merge ($HTTP _post_vars, $HTTP _get_vars);
}else{
foreach ($HTTP _post_vars as $key = + $value) {
$ArrPostAndGet []= $value;
}
foreach ($HTTP _get_vars as $key = + $value) {
$ArrPostAndGet []= $value;
}
}
Validation begins
foreach ($ArrPostAndGet as $key = = $value) {
if (Funstringexist ($value, $ArrFiltrate)) {
echo "<script language= ' JavaScript ' >alert (' message must not contain {', or,and,union} and other illegal characters please replace them with {', or,and,union} '); </ Script> ";
if (Emptyempty ($STRGOURL)) {
echo "<scriptlanguage= ' JavaScript ' >history.go ( -1);</script>";
}else{
echo "<scriptlanguage= ' JavaScript ' >window.location= '". $StrGoUrl. "'; </script> ";
}
Exit
}
}
/*************** End prevents PHP injection *****************/
?>
I hope this article is helpful to everyone's PHP programming.
Simple and practical example of PHP anti-injection class