Summary of PHP filtering special dangerous characters

Generally, for the incoming characters, PHP can be processed with the Addslashes function (to GET_MAGIC_QUOTES_GPC () to deal with the false, or repeat the escape! ), so as to achieve a certain level of security requirements
Like this.

The code is as follows	Copy Code
if (!GET_MAGIC_QUOTES_GPC ()) { Add_slashes ($_get); Add_slashes ($_post); Add_slashes ($_cookie); } function Add_slashes ($string) { if (Is_array ($string)) { foreach ($string as $key => $value) { $string [$key] = add_slashes ($value); } } else { $string = Addslashes ($string); } return $string; }

But it can be further coded, decoded, as follows:

The code is as follows

Copy Code

Coding function HTMLEncode ($STR) { if (empty ($STR)) return; if ($str = = "") return $str; $str =trim ($STR); $str =str_replace ("&", "&", $str); $str =str_replace (">", ">", $str); $str =str_replace ("<", "<", $str); $str =str_replace (CHR), " ", $str); $str =str_replace (Chr (9), " ", $str); $str =str_replace (CHR), "&", $str); $str =str_replace (CHR), "& #39;", $STR); $str =str_replace (CHR), "<br/>", $str); $str =str_replace ("'", "" ", $str); $str =str_replace ("select", "sel& #101; CT", $str); $str =str_replace ("Join", "jo& #105; n", $str); $str =str_replace ("union", "un& #105; on", $STR); $str =str_replace ("where", "wh& #101; Re", $STR); $str =str_replace ("Insert", "ins& #101; RT", $STR); $str =str_replace ("delete", "del& #101; TE", $str); $str =str_replace ("Update", "up& #100; ate", $str); $str =str_replace ("Like", "lik& #101;", $STR); $str =str_replace ("Drop", "dro& #112;", $STR); $str =str_replace ("Create", "cr& #101; ate", $str); $str =str_replace ("Modify", "mod& #105; FY", $str); $str =str_replace ("rename", "ren& #097; Me", $str); $STR =str_replace ("Alter", "alt& #101; r", $str); $str =str_replace ("Cast", "ca& #115;", $STR); return $str; }

This can be more assured of external data warehousing processing, but removed from the database, in the foreground display, you must decode:

The code is as follows

Copy Code

Decoding function HtmlDecode ($STR) { if (empty ($STR)) return; if ($str = = "") return $str; $str =str_replace ("sel& #101; CT", "select", $str); $str =str_replace ("jo& #105; n", "join", $STR); $str =str_replace ("un& #105; on", "union", $STR); $str =str_replace ("wh& #101; Re", "where", $str); $str =str_replace ("ins& #101; RT", "Insert", $STR); $str =str_replace ("del& #101; TE", "delete", $str); $str =str_replace ("up& #100; ate", "Update", $STR); $str =str_replace ("lik& #101;", "like", $STR); $str =str_replace ("dro& #112;", "Drop", $str); $str =str_replace ("cr& #101; ate", "create", $STR); $str =str_replace ("mod& #105; FY", "Modify", $str); $str =str_replace ("ren& #097; Me", "rename", $str); $str =str_replace ("alt& #101 R", "Alter", $STR); $str =str_replace ("ca& #115;", "cast", $STR); $str =str_replace ("&", "&", $str); $str =str_replace (">", ">", $str); $str =str_replace ("<", "<", $str); $str =str_replace (" ", Chr (), $STR); $str =str_replace (" ", Chr (9), $STR); $str =str_replace ("&", Chr (), $STR); $str =str_replace ("& #39;", Chr (), $STR); $str =str_replace ("<br/>", Chr (), $STR); $str =str_replace ("" "," "", $str); return $str; }

Although more than one step coding, decoding the process, but security, will go further, how to do, their own choice.

And then attach some

code is as follows

copy code

function Safe_replace ($string) {   $string = Str_replace (",", $ string);   $string = Str_replace (",", $string);   $string = Str_replace (",", $string);   $string = str_replace (' * ', ', $string ');   $string = Str_replace (' ", '" ", $string);   $string = Str_replace ("'", ", $string);   $string = Str_replace (' ",", $string);   $string = Str_replace ('; ', ', $string);   $string = str_replace (' < ', ' < ', $string);   $string = str_replace (' > ', ' > ', $string);   $string = Str_replace ("{", ', $string);   $string = Str_replace ('} ', ', $string);  return $string; }

More comprehensive

The code is as follows

Copy Code

Processing of submitted data function HtmlDecode ($STR) { if (Empty ($STR) | | "" = = $str) { Return ""; } $str = Strip_tags ($STR); $str = Htmlspecialchars ($STR); $str = NL2BR ($STR); $str = Str_replace ("?", "", $str); $str = Str_replace ("*", "", $str); $str = Str_replace ("!", "", $str); $str = Str_replace ("~", "", $str); $str = Str_replace ("$", "", $str); $str = str_replace ("%", "", $str); $str = Str_replace ("^", "", $str); $str = Str_replace ("^", "", $str); $str = Str_replace ("Select", "", $str); $str = Str_replace ("Join", "", $str); $str = Str_replace ("union", "" ", $str); $str = Str_replace ("where", "", $str); $str = Str_replace ("Insert", "", $str); $str = str_replace ("delete", "", $str); $str = Str_replace ("Update", "", $str); $str = Str_replace ("Like", "", $str); $str = Str_replace ("Drop", "", $str); $str = Str_replace ("Create", "", $str); $str = Str_replace ("Modify", "", $str); $str = str_replace ("rename", "", $str); $str = Str_replace ("Alter", "", $str); $str = Str_replace ("Cast", "", $str); $farr = Array ("//s+/",//filter for extra whitespace "/< (//?) (img|script|i?frame|style|html|body|title|link|meta|/?| /%) ([^>]*?) >/isu ",//filter <script prevent the introduction of malicious content or malicious code, if you do not need to insert flash, etc., you can also add <object filter "/(<[^>]*) on[a-za-z]+/s*= ([^>]*>)/isu")//filter JavaScript on event ; $tarr = Array ("", "",///If you want to clear unsafe labels directly, you can leave this blank "" ); return $str; }