PHP anti-injection function code summary_PHP tutorial-PHP Tutorial-php.cn

Home

Backend Development

PHP Tutorial

PHP anti-injection function code summary_PHP tutorial

WBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWB

Jul 13, 2016 pm 05:11 PM

php generally code overall situation function exist string Summarize document injection of filter

To prevent injection in PHP, a global file is usually written to filter special strings. This article summarizes various PHP anti-injection function codes. It can also prevent SQL injection for your reference.

For security, we often use the following function to filter some passed illegal characters:

PHP anti-injection function

The code is as follows

Copy code

代码如下

复制代码

//要过滤的非法字符
$ArrFiltrate=array(“‘”,”;”,”union”,”select”,”delete”,”‘”,”or”,”and”,”=”);
//出错后要跳转的url,不填则默认前一页
$StrGoUrl=”";
//是否存在数组中的值
function FunStringExist($StrFiltrate,$ArrFiltrate){
foreach ($ArrFiltrate as $key=>$value){
if (eregi($value,$StrFiltrate)){
return true;
}
}
return false;
}
//合并$_POST 和 $_GET
if(function_exists(array_merge)){
$ArrPostAndGet=array_merge($HTTP_POST_VARS,$HTTP_GET_VARS);
}else{
foreach($HTTP_POST_VARS as $key=>$value){
$ArrPostAndGet[]=$value;
}
foreach($HTTP_GET_VARS as $key=>$value){
$ArrPostAndGet[]=$value;
}
}
//验证开始
foreach($ArrPostAndGet as $key=>$value){
if (FunStringExist($value,$ArrFiltrate)){
if (empty($StrGoUrl)){
echo “”;
}else{
echo “”;
}
exit;
}
}

//Illegal characters to be filtered
$ArrFiltrate=array(“‘”,”;”,”union”,”select”,”delete”,”‘”,”or”,”and”,”=”);
//The URL to jump to after an error occurs. If not filled in, the previous page will be defaulted
$StrGoUrl=””;
//Whether there is a value in the array
function FunStringExist($StrFiltrate,$ArrFiltrate){
foreach ($ArrFiltrate as $key=>$value){
if (eregi($value,$StrFiltrate)){
return true;
}
}
return false;
}
//Merge $_POST and $_GET
if(function_exists(array_merge)){
$ArrPostAndGet=array_merge($HTTP_POST_VARS,$HTTP_GET_VARS);
}else{
foreach($HTTP_POST_VARS as $key=>$value){
$ArrPostAndGet[]=$value;
}
foreach($HTTP_GET_VARS as $key=>$value){
$ArrPostAndGet[]=$value;
}
}
//Verification starts
foreach($ArrPostAndGet as $key=>$value){
if (FunStringExist($value,$ArrFiltrate)){
if (empty($StrGoUrl)){
echo “”;
}else{
echo “”;
}
exit;
}
}

Look at another example that is similar to the above. This is the method used by the dz forum

代码如下

复制代码

$magic_quotes_gpc = get_magic_quotes_gpc();
@extract(daddslashes($_COOKIE));
@extract(daddslashes($_POST));
@extract(daddslashes($_GET));
if(!$magic_quotes_gpc) {
$_FILES = daddslashes($_FILES);
}

The code is as follows

Copy code

$magic_quotes_gpc = get_magic_quotes_gpc();
@extract(daddslashes($_COOKIE));
@extract(daddslashes($_POST));
@extract(daddslashes($_GET));
if(!$magic_quotes_gpc) {
$_FILES = daddslashes($_FILES);
}
function daddslashes($string, $force = 0) {
if(!$GLOBALS['magic_quotes_gpc'] || $force) {
if(is_array($string)) {
foreach($string as $key => $val) {
$string[$key] = daddslashes($val, $force);
}
} else {
$string = addslashes($string);
}
}
return $string;
}

Lastly post an enhanced version

The code is as follows

Copy code

$field = explode(',', $data);
array_walk($field, array($this, 'add_special_char'));
$data = implode(',', $field);
/**
* Add backticks on both sides of the field to ensure database security
* @param $value array value
*/
public function add_special_char(&$value) {
if('*' == $value || false !== strpos($value, '(') || false !== strpos($value, '.') || false !== strpos ( $value, '`')) {
//Do not process include * or use sql method.
} else {
$value = '`'.trim($value).''';
}
return $value;
}
function str_filter($str) {
$str = htmlspecialchars ( $str );
if (! get_magic_quotes_gpc ()) {
$str = addslashes ( $str );
}
//Filter dangerous characters
return preg_replace ( "/["'=]|(and)|(or)|(create)|(update)|(alter)|(delete)|(insert)|(load_file)|(outfile)|(count) |(%20)|(char)/i", "", $str );
}
/*
Function name: str_check()
Function: Filter the submitted string
Parameters: $var: string to be processed
Return value: Return the filtered string
*/
function str_check($str) {
if (! get_magic_quotes_gpc ()) { // Determine whether magic_quotes_gpc is turned on
$str = addslashes ( $str ); // Filter
}
$str = str_replace ( "_", "_", $str ); // Filter out '_'
$str = str_replace ( "%", "%", $str ); // Filter out '%'
return $str;
}

/*
Function name: post_check()
Function: Process the submitted editing content
Parameters: $post: Content to be submitted
Return value: $post: Returns filtered content
*/
function post_check($post) {
if (! get_magic_quotes_gpc ()) { // Determine whether magic_quotes_gpc is open
$post = addslashes ( $post ); // Filter submitted data when magic_quotes_gpc is not turned on
}
$post = str_replace ( "_", "_", $post ); // Filter out '_'
$post = str_replace ( "%", "%", $post ); // Filter out '%'
$post = nl2br ( $post ); // Enter conversion
$post = htmlspecialchars ( $post ); // html tag conversion
return $post;
}
/*
Function name: inject_check()
Function: Detect whether the submitted value contains SQL injection characters, prevent injection, and protect server security
Parameter: $sql_str: Submitted variable
Return value: Return the detection result, true or false
*/
function inject_check($sql_str) {
return eregi('select|insert|and|or|update|delete|'|/*|*|../|./|union|into|load_file|outfile', $sql_str); // Filter
}

/*
Function name: verify_id()
Function: Verify whether the submitted ID value is legal
Parameters: $id: Submitted ID value
Return value: Return the processed ID
*/
function verify_id($id=null) {
if (!$id) { exit('No parameters submitted!'); } // Determine whether it is empty
elseif (inject_check($id)) { exit('The submitted parameter is illegal!'); } // Injection judgment
elseif (!is_numeric($id)) { exit('The submitted parameter is illegal!'); } // Numeric judgment
$id = intval($id); // Integer

return $id;
}

// $rptype = 0 表示仅替换 html标记
// $rptype = 1 表示替换 html标记同时去除连续空白字符
// $rptype = 2 表示替换 html标记同时去除所有空白字符
// $rptype = -1 表示仅替换 html危险的标记
function HtmlReplace($str, $rptype = 0) {
$str = stripslashes ( $str );
if ($rptype == 0) {
$str = htmlspecialchars ( $str );
} else if ($rptype == 1) {
$str = htmlspecialchars ( $str );
$str = str_replace ( "　", ' ', $str );
$str = ereg_replace ( "[rnt ]{1,}", ' ', $str );
} else if ($rptype == 2) {
$str = htmlspecialchars ( $str );
$str = str_replace ( "　", '', $str );
$str = ereg_replace ( "[rnt ]", '', $str );
} else {
$str = ereg_replace ( "[rnt ]{1,}", ' ', $str );
$str = eregi_replace ( 'script', 'ｓｃｒｉｐｔ', $str );
$str = eregi_replace ( "<[/]{0,1}(link|meta|ifr|fra)[^>]*>", '', $str );
}
return addslashes ( $str );
}
//递归ddslashes
function daddslashes($string, $force = 0, $strip = FALSE) {
if (! get_magic_quotes_gpc () || $force) {
  if (is_array ( $string )) {
   foreach ( $string as $key => $val ) {
    $string [$key] = daddslashes ( $val, $force );
   }
  } else {
   $string = addslashes ( $strip ? stripslashes ( $string ) : $string );
  }
}
return $string;
}

//递归stripslashes
function dstripslashes($string) {
if (is_array ( $string )) {
  foreach ( $string as $key => $val ) {
   $string [$key] = $this->dstripslashes ( $val );
  }
} else {
  $string = stripslashes ( $string );
}
return $string;
}
/**
* 安全过滤函数
* @param $string 要过滤的字符串
* @return string 返回处理过的字符串
*/
function safe_replace($string) {
$string = str_replace('%20','',$string);
$string = str_replace('%27','',$string);
$string = str_replace('%2527','',$string);
$string = str_replace('*','',$string);
$string = str_replace('"','"',$string);
$string = str_replace("'",'',$string);
$string = str_replace('"','',$string);
$string = str_replace(';','',$string);
$string = str_replace('<','<',$string);
$string = str_replace('>','>',$string);
$string = str_replace("{",'',$string);
$string = str_replace('}','',$string);
return $string;
}

/**
* 使用htmlspecialchars处理字符串或数组
* @param $obj 需要处理的字符串或数组
* @return mixed 返回经htmlspecialchars处理过的字符串或数组
*/
function new_htmlspecialchars($string) {
if(!is_array($string))
return htmlspecialchars($string);
foreach($string as $key => $val)
$string[$key] = new_htmlspecialchars($val);
return $string;
}

//处理禁用HTML但允许换行的内容
function TrimMsg($msg) {
$msg = trim ( stripslashes ( $msg ) );
$msg = nl2br ( htmlspecialchars ( $msg ) );
$msg = str_replace ( " ", " ", $msg );
return addslashes ( $msg );
}

Statement of this Website

The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn

Hot AI Tools

Undresser.AI Undress

AI-powered app for creating realistic nude photos

AI Clothes Remover

Online AI tool for removing clothes from photos.

Undress AI Tool

Undress images for free

Clothoff.io

AI clothes remover

Video Face Swap

Swap faces in any video effortlessly with our completely free AI face swap tool!

Hot Article

Roblox: Grow A Garden - Complete Mutation Guide

4 weeks ago By DDD

Roblox: Bubble Gum Simulator Infinity - How To Get And Use Royal Keys

1 months ago By 尊渡假赌尊渡假赌尊渡假赌

Nordhold: Fusion System, Explained

1 months ago By 尊渡假赌尊渡假赌尊渡假赌

Mandragora: Whispers Of The Witch Tree - How To Unlock The Grappling Hook

4 weeks ago By 尊渡假赌尊渡假赌尊渡假赌

Clair Obscur: Expedition 33 UE-Sandfall Game Crash? 3 Ways!

2 weeks ago By DDD

Hot Tools

Notepad++7.3.1

Easy-to-use and free code editor

SublimeText3 Chinese version

Chinese version, very easy to use

Zend Studio 13.0.1

Powerful PHP integrated development environment

Dreamweaver CS6

Visual web development tools

SublimeText3 Mac version

God-level code editing software (SublimeText3)

Hot Topics

Java Tutorial

1677

CakePHP Tutorial

1431

Laravel Tutorial

1334

PHP Tutorial

1280

C# Tutorial

1257

Related knowledge

What happens if session_start() is called multiple times? Apr 25, 2025 am 12:06 AM

Multiple calls to session_start() will result in warning messages and possible data overwrites. 1) PHP will issue a warning, prompting that the session has been started. 2) It may cause unexpected overwriting of session data. 3) Use session_status() to check the session status to avoid repeated calls.

Composer: Aiding PHP Development Through AI Apr 29, 2025 am 12:27 AM

AI can help optimize the use of Composer. Specific methods include: 1. Dependency management optimization: AI analyzes dependencies, recommends the best version combination, and reduces conflicts. 2. Automated code generation: AI generates composer.json files that conform to best practices. 3. Improve code quality: AI detects potential problems, provides optimization suggestions, and improves code quality. These methods are implemented through machine learning and natural language processing technologies to help developers improve efficiency and code quality.

What is the significance of the session_start() function? May 03, 2025 am 12:18 AM

session_start()iscrucialinPHPformanagingusersessions.1)Itinitiatesanewsessionifnoneexists,2)resumesanexistingsession,and3)setsasessioncookieforcontinuityacrossrequests,enablingapplicationslikeuserauthenticationandpersonalizedcontent.

How to use MySQL functions for data processing and calculation Apr 29, 2025 pm 04:21 PM

MySQL functions can be used for data processing and calculation. 1. Basic usage includes string processing, date calculation and mathematical operations. 2. Advanced usage involves combining multiple functions to implement complex operations. 3. Performance optimization requires avoiding the use of functions in the WHERE clause and using GROUPBY and temporary tables.

H5: Key Improvements in HTML5 Apr 28, 2025 am 12:26 AM

HTML5 brings five key improvements: 1. Semantic tags improve code clarity and SEO effects; 2. Multimedia support simplifies video and audio embedding; 3. Form enhancement simplifies verification; 4. Offline and local storage improves user experience; 5. Canvas and graphics functions enhance the visualization of web pages.

Composer: The Package Manager for PHP Developers May 02, 2025 am 12:23 AM

Composer is a dependency management tool for PHP, and manages project dependencies through composer.json file. 1) parse composer.json to obtain dependency information; 2) parse dependencies to form a dependency tree; 3) download and install dependencies from Packagist to the vendor directory; 4) generate composer.lock file to lock the dependency version to ensure team consistency and project maintainability.

How to configure the character set and collation rules of MySQL Apr 29, 2025 pm 04:06 PM

Methods for configuring character sets and collations in MySQL include: 1. Setting the character sets and collations at the server level: SETNAMES'utf8'; SETCHARACTERSETutf8; SETCOLLATION_CONNECTION='utf8_general_ci'; 2. Create a database that uses specific character sets and collations: CREATEDATABASEexample_dbCHARACTERSETutf8COLLATEutf8_general_ci; 3. Specify character sets and collations when creating a table: CREATETABLEexample_table(idINT

How to use type traits in C? Apr 28, 2025 pm 08:18 PM

typetraits are used in C for compile-time type checking and operation, improving code flexibility and type safety. 1) Type judgment is performed through std::is_integral and std::is_floating_point to achieve efficient type checking and output. 2) Use std::is_trivially_copyable to optimize vector copy and select different copy strategies according to the type. 3) Pay attention to compile-time decision-making, type safety, performance optimization and code complexity. Reasonable use of typetraits can greatly improve code quality.

See all articles