Summary of php filter for special dangerous characters
Generally, you can use the addslashes function to process the passed characters in the php tutorial. (If get_magic_quotes_gpc () is false, it will be processed. Otherwise, it will be escaped again !), In this way, we can meet certain security requirements.
For example
The Code is as follows:
If (! Get_magic_quotes_gpc ()){
Add_slashes ($ _ GET );
Add_slashes ($ _ POST );
Add_slashes ($ _ COOKIE );
}
Function add_slashes ($ string ){
If (is_array ($ string )){
Foreach ($ string as $ key => $ value ){
$ String [$ key] = add_slashes ($ value );
}
} Else {
$ String = addslashes ($ string );
}
Return $ string;
}
However, you can perform further re-encoding and decoding as follows:
The Code is as follows:
// Encoding
Function htmlencode ($ str ){
If (empty ($ str) return;
If ($ str = "") return $ str;
$ Str = trim ($ str );
$ Str = str_replace ("& amp;", "& amp;", $ str );
$ Str = str_replace ("& gt;", "& amp; gt;", $ str );
$ Str = str_replace ("& lt;", "& amp; lt;", $ str );
$ Str = str_replace (chr (32), "& amp; nbsp;", $ str );
$ Str = str_replace (chr (9), "& amp; nbsp;", $ str );
$ Str = str_replace (chr (34), "& amp;", $ str );
$ Str = str_replace (chr (39), "& amp; #39;", $ str );
$ Str = str_replace (chr (13), "& lt; br/& gt;", $ str );
$ Str = str_replace ("'", "'' ", $ str );
$ Str = str_replace ("select", "sel & amp; #101; ct", $ str );
$ Str = str_replace ("join", "jo & amp; #105; n", $ str );
$ Str = str_replace ("union", "un & amp; #105; on", $ str );
$ Str = str_replace ("where", "wh & amp; #101; re", $ str );
$ Str = str_replace ("insert", "ins & amp; #101; rt", $ str );
$ Str = str_replace ("delete", "del & amp; #101; te", $ str );
$ Str = str_replace ("update", "up & amp; #100; ate", $ str );
$ Str = str_replace ("like", "lik & amp; #101;", $ str );
$ Str = str_replace ("drop", "dro & amp; #112;", $ str );
$ Str = str_replace ("create", "cr & amp; #101; ate", $ str );
$ Str = str_replace ("modify", "mod & amp; #105; fy", $ str );
$ Str = str_replace ("rename", "ren & amp; #097; me", $ str );
$ Str = str_replace ("alter", "alt & #101; r", $ str );
$ Str = str_replace ("cast", "ca & amp; #115;", $ str );
Return $ str;
}
In this way, the external data can be stored in the database with greater confidence. However, when the data is retrieved from the database, you must re-Decode it when it is displayed on the front-end:
The Code is as follows:
// Decoding
Function htmldecode ($ str ){
If (empty ($ str) return;
If ($ str = "") return $ str;
$ Str = str_replace ("sel & amp; #101; ct", "select", $ str );
$ Str = str_replace ("jo & #105; n", "join", $ str );
$ Str = str_replace ("un & amp; #105; on", "union", $ str );
$ Str = str_replace ("wh & amp; #101; re", "where", $ str );
$ Str = str_replace ("ins & amp; #101; rt", "insert", $ str );
$ Str = str_replace ("del & amp; #101; te", "delete", $ str );
$ Str = str_replace ("up & amp; #100; ate", "update", $ str );
$ Str = str_replace ("lik & amp; #101;", "like", $ str );
$ Str = str_replace ("dro & amp; #112;", "drop", $ str );
$ Str = str_replace ("cr & amp; #101; ate", "create", $ str );
$ Str = str_replace (www.111cn.net) "mod & amp; #105; fy", "modify", $ str );
$ Str = str_replace ("ren & amp; #097; me", "rename", $ str );
$ Str = str_replace ("alt & amp; #101; r", "alter", $ str );
$ Str = str_replace ("ca & amp; #115;", "cast", $ str );
$ Str = str_replace ("& amp;", "& amp;", $ str );
$ Str = str_replace ("& amp; gt;", "& gt;", $ str );
$ Str = str_replace ("& amp; lt;", "& lt;", $ str );
$ Str = str_replace ("& amp; nbsp;", chr (32), $ str );
$ Str = str_replace ("& amp; nbsp;", chr (9), $ str );
$ Str = str_replace ("& amp;", chr (34), $ str );
$ Str = str_replace ("& amp; #39;", chr (39), $ str );
$ Str = str_replace ("& lt; br/& gt;", chr (13), $ str );
$ Str = str_replace ("'' "," '", $ str );
Return $ str;
}
Although there is a step more encoding and decoding process, the security aspect will go further. Let's choose what to do.
A few more
The Code is as follows:
Function safe_replace ($ string ){
$ String = str_replace ('','', $ string );
$ String = str_replace (''', '', $ string );
$ String = str_replace (''', '', $ string );
$ String = str_replace ('*', '', $ string );
$ String = str_replace ('"', '"', $ string );
$ String = str_replace ("'", '', $ string );
$ String = str_replace ('"','', $ string );
$ String = str_replace (';', '', $ string );
$ String = str_replace ('<', '<', $ string );
$ String = str_replace ('>', '>', $ string );
$ String = str_replace ("{", '', $ string );
$ String = str_replace ('}', '', $ string );
Return $ string;
}
More comprehensive
The Code is as follows:
// Process submitted data
Function htmldecode ($ str ){
If (empty ($ str) | "" = $ str ){
Return "";
}
$ Str = strip_tags ($ str );
$ Str = htmlspecialchars ($ str );
$ Str = nl2br ($ str );
$ Str = str_replace ("? "," ", $ Str );
$ Str = str_replace ("*", "", $ str );
$ Str = str_replace ("! "," ", $ Str );
$ Str = str_replace ("~ "," ", $ Str );
$ Str = str_replace ("$", "", $ str );
$ Str = str_replace ("%", "", $ str );
$ Str = str_replace ("^", "", $ str );
$ Str = str_replace ("^", "", $ str );
$ Str = str_replace ("select", "", $ str );
$ Str = str_replace ("join", "", $ str );
$ Str = str_replace ("union", "", $ str );
$ Str = str_replace ("where", "", $ str );
$ Str = str_replace ("insert", "", $ str );
$ Str = str_replace ("delete", "", $ str );
$ Str = str_replace ("update", "", $ str );
$ Str = str_replace ("like", "", $ str );
$ Str = str_replace ("drop", "", $ str );
$ Str = str_replace ("create", "", $ str );
$ Str = str_replace ("modify", "", $ str );
$ Str = str_replace ("rename", "", $ str );
$ Str = str_replace ("alter", "", $ str );
$ Str = str_replace ("cast", "", $ str );
$ Farr = array ("// s +/", // filter unnecessary Spaces
"/<(//?) (Img | script | I? Frame | style | html | body | title | link | meta | /? |/%) ([^>] *?)> /IsU ", // filter <script to prevent malicious content or code from being introduced. If you do not need to insert flash, you can also add ] *) On [a-zA-Z] +/s * = ([^>] *>)/isU ") // filter javascript on events
;
$ Tarr = array ("", "", // if you want to clear insecure labels directly, leave it blank.
"");
Return $ str;
}
From: http://www.111cn.net/phper/phpanqn/55876.htm