PHP anti-injection security implementation program code

I have talked about a lot of SQL injection prevention codes before, but we still have to start with our server script. Let’s talk about some common methods of preventing injection in PHP for your reference.

The most common one is probably

First set magic_quotes_gpc to On and display_errors to Off. If it is an id type, we use intval() to convert it to an integer type, as shown in the code:
$id=intval($id);

Okay, let me introduce the basic principles of PHP submission data filtering

1) When submitting variables into the database, we must use addslashes() for filtering. For example, our injection problem can be solved with just one addslashes(). In fact, when it comes to variable values, the intval() function is also a good choice for filtering strings.

2) Enable magic_quotes_gpc and magic_quotes_runtime in php.ini. magic_quotes_gpc can change the quotation marks in get, post, and cookie into slashes. magic_quotes_runtime can play a formatting role in data entering and exiting the database. In fact, this parameter has been very popular since the old days when injection was crazy.

3) When using system functions, you must use escapeshellarg(), escapeshellcmd() parameters to filter, so that you can use system functions with confidence.

4) For cross-site, both parameters of strip_tags() and htmlspecialchars() are good. All tags with html and php submitted by users will be converted. For example, angle brackets "<" will be converted into harmless characters such as "<".

The code is as follows

Copy code

$new = htmlspecialchars("Test", ENT_QUOTES);

代码如下	复制代码
$new = htmlspecialchars("Test", ENT_QUOTES); strip_tags($text,);

strip_tags($text,);

5) Regarding the filtering of related functions, just like the previous include(), unlink, fopen(), etc., as long as you specify the variables you want to perform the operation or strictly filter the related characters, I think this will be enough. Impeccable.

2. Simple data filtering with PHP

1) Storage: trim($str),addslashes($str)
2) Deposit: stripslashes($str)
3) Display: htmlspecialchars(nl2br($str))

Share an example

Specific code:

The code is as follows

Copy code

//security.php
/**
* @author zhengwei
* @copyright 2007
*/

/*
Function name: inject_check()
Function: Detect whether the submitted value contains SQL injection characters, prevent injection, and protect server security
Parameter: $sql_str: submitted variable
Return value: return detection result, true or false
Function author: heiyeluren
*/
function inject_check($sql_str) {
Return eregi('select|insert|update|delete|'|/*|*|../|./|union|into|load_file|outfile', $sql_str); // Filter
}

/*
Function name: verify_id()
Function: Verify whether the submitted ID value is legal
Parameters: $id: submitted ID value
Return value: Return the processed ID
Function author: heiyeluren
*/
function verify_id($id=null) {
if (!$id) { exit('No parameters submitted!'); } // Determine whether it is empty
elseif (inject_check($id)) { exit('The submitted parameters are illegal!'); } // Injection judgment
elseif (!is_numeric($id)) { exit('The submitted parameter is illegal!'); } // Numeric judgment
$id = intval($id); // Integerization

return $id;
}

/*
Function name: str_check()
Function: Filter the submitted string
Parameters: $var: string to be processed
Return value: Returns the filtered string
Function author: heiyeluren
*/
function str_check( $str ) {
if (!get_magic_quotes_gpc()) { // Determine whether magic_quotes_gpc is turned on
$str = addslashes($str); // Filter
}
$str = str_replace("_", "_", $str); // Filter out '_'
$str = str_replace("%", "%", $str); // Filter out '%'

Return $str;
}

/*
Function name: post_check()
Function: Process the submitted editing content
Parameters: $post: Content to be submitted
Return value: $post: Returns the filtered content
Function author: heiyeluren
*/
function post_check($post) {
if (!get_magic_quotes_gpc()) { // Determine whether magic_quotes_gpc is turned on
$post = addslashes($post); // Filter the submitted data when magic_quotes_gpc is not opened
}
$post = str_replace("_", "_", $post); // Filter out '_'
$post = str_replace("%", "%", $post); // Filter out '%'
$post = nl2br($post); // Enter conversion
$post = htmlspecialchars($post); // html tag conversion

Return $post;
}

foreach ($_POST as $post_key=>$post_var)
{
if (is_numeric($post_var)) {
$post[strtolower($post_key)] = get_int($post_var);
} else {
$post[strtolower($post_key)] = get_str($post_var);
}
}

/* Filter function */
//Integer filter function
function get_int($number)
{
Return intval($number);
}
//String filter function
function get_str($string)
{
If (!get_magic_quotes_gpc()) {
return addslashes($string);
}
Return $string;
}

In some cms I will see

foreach($HTTP_POST_VARS as $key=>$value){
$ArrPostAndGet[]=$value;
}
foreach($HTTP_GET_VARS as $key=>$value){
$ArrPostAndGet[]=$value;
}

This code then loads this function on all pages. In this way, when filtering, I find that there seems to be a problem when uploading files.

Related labels：

php sql code but about Safety accomplish us injection of program still

source：php.cn

Previous article：PHP anti-injection configuration and php anti-injection code_PHP tutorial Next article：PHP verification code generation program code_PHP tutorial

Statement of this Website

The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn

PHP anti-injection security implementation program code_PHP tutorial