PHP anti-injection function code summary_PHP tutorial-PHP Tutorial-php.cn

Home

Backend Development

PHP Tutorial

PHP anti-injection function code summary_PHP tutorial

WBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWB

Jul 13, 2016 pm 05:11 PM

php generally code overall situation function exist string Summarize document injection of filter

To prevent injection in PHP, a global file is usually written to filter special strings. This article summarizes various PHP anti-injection function codes. It can also prevent SQL injection for your reference.

For security, we often use the following function to filter some passed illegal characters:

PHP anti-injection function

The code is as follows

Copy code

代码如下

复制代码

//要过滤的非法字符
$ArrFiltrate=array(“‘”,”;”,”union”,”select”,”delete”,”‘”,”or”,”and”,”=”);
//出错后要跳转的url,不填则默认前一页
$StrGoUrl=”";
//是否存在数组中的值
function FunStringExist($StrFiltrate,$ArrFiltrate){
foreach ($ArrFiltrate as $key=>$value){
if (eregi($value,$StrFiltrate)){
return true;
}
}
return false;
}
//合并$_POST 和 $_GET
if(function_exists(array_merge)){
$ArrPostAndGet=array_merge($HTTP_POST_VARS,$HTTP_GET_VARS);
}else{
foreach($HTTP_POST_VARS as $key=>$value){
$ArrPostAndGet[]=$value;
}
foreach($HTTP_GET_VARS as $key=>$value){
$ArrPostAndGet[]=$value;
}
}
//验证开始
foreach($ArrPostAndGet as $key=>$value){
if (FunStringExist($value,$ArrFiltrate)){
if (empty($StrGoUrl)){
echo “”;
}else{
echo “”;
}
exit;
}
}

//Illegal characters to be filtered
$ArrFiltrate=array(“‘”,”;”,”union”,”select”,”delete”,”‘”,”or”,”and”,”=”);
//The URL to jump to after an error occurs. If not filled in, the previous page will be defaulted
$StrGoUrl=””;
//Whether there is a value in the array
function FunStringExist($StrFiltrate,$ArrFiltrate){
foreach ($ArrFiltrate as $key=>$value){
if (eregi($value,$StrFiltrate)){
return true;
}
}
return false;
}
//Merge $_POST and $_GET
if(function_exists(array_merge)){
$ArrPostAndGet=array_merge($HTTP_POST_VARS,$HTTP_GET_VARS);
}else{
foreach($HTTP_POST_VARS as $key=>$value){
$ArrPostAndGet[]=$value;
}
foreach($HTTP_GET_VARS as $key=>$value){
$ArrPostAndGet[]=$value;
}
}
//Verification starts
foreach($ArrPostAndGet as $key=>$value){
if (FunStringExist($value,$ArrFiltrate)){
if (empty($StrGoUrl)){
echo “”;
}else{
echo “”;
}
exit;
}
}

Look at another example that is similar to the above. This is the method used by the dz forum

代码如下

复制代码

$magic_quotes_gpc = get_magic_quotes_gpc();
@extract(daddslashes($_COOKIE));
@extract(daddslashes($_POST));
@extract(daddslashes($_GET));
if(!$magic_quotes_gpc) {
$_FILES = daddslashes($_FILES);
}

The code is as follows

Copy code

$magic_quotes_gpc = get_magic_quotes_gpc();
@extract(daddslashes($_COOKIE));
@extract(daddslashes($_POST));
@extract(daddslashes($_GET));
if(!$magic_quotes_gpc) {
$_FILES = daddslashes($_FILES);
}
function daddslashes($string, $force = 0) {
if(!$GLOBALS['magic_quotes_gpc'] || $force) {
if(is_array($string)) {
foreach($string as $key => $val) {
$string[$key] = daddslashes($val, $force);
}
} else {
$string = addslashes($string);
}
}
return $string;
}

Lastly post an enhanced version

The code is as follows

Copy code

$field = explode(',', $data);
array_walk($field, array($this, 'add_special_char'));
$data = implode(',', $field);
/**
* Add backticks on both sides of the field to ensure database security
* @param $value array value
*/
public function add_special_char(&$value) {
if('*' == $value || false !== strpos($value, '(') || false !== strpos($value, '.') || false !== strpos ( $value, '`')) {
//Do not process include * or use sql method.
} else {
$value = '`'.trim($value).''';
}
return $value;
}
function str_filter($str) {
$str = htmlspecialchars ( $str );
if (! get_magic_quotes_gpc ()) {
$str = addslashes ( $str );
}
//Filter dangerous characters
return preg_replace ( "/["'=]|(and)|(or)|(create)|(update)|(alter)|(delete)|(insert)|(load_file)|(outfile)|(count) |(%20)|(char)/i", "", $str );
}
/*
Function name: str_check()
Function: Filter the submitted string
Parameters: $var: string to be processed
Return value: Return the filtered string
*/
function str_check($str) {
if (! get_magic_quotes_gpc ()) { // Determine whether magic_quotes_gpc is turned on
$str = addslashes ( $str ); // Filter
}
$str = str_replace ( "_", "_", $str ); // Filter out '_'
$str = str_replace ( "%", "%", $str ); // Filter out '%'
return $str;
}

/*
Function name: post_check()
Function: Process the submitted editing content
Parameters: $post: Content to be submitted
Return value: $post: Returns filtered content
*/
function post_check($post) {
if (! get_magic_quotes_gpc ()) { // Determine whether magic_quotes_gpc is open
$post = addslashes ( $post ); // Filter submitted data when magic_quotes_gpc is not turned on
}
$post = str_replace ( "_", "_", $post ); // Filter out '_'
$post = str_replace ( "%", "%", $post ); // Filter out '%'
$post = nl2br ( $post ); // Enter conversion
$post = htmlspecialchars ( $post ); // html tag conversion
return $post;
}
/*
Function name: inject_check()
Function: Detect whether the submitted value contains SQL injection characters, prevent injection, and protect server security
Parameter: $sql_str: Submitted variable
Return value: Return the detection result, true or false
*/
function inject_check($sql_str) {
return eregi('select|insert|and|or|update|delete|'|/*|*|../|./|union|into|load_file|outfile', $sql_str); // Filter
}

/*
Function name: verify_id()
Function: Verify whether the submitted ID value is legal
Parameters: $id: Submitted ID value
Return value: Return the processed ID
*/
function verify_id($id=null) {
if (!$id) { exit('No parameters submitted!'); } // Determine whether it is empty
elseif (inject_check($id)) { exit('The submitted parameter is illegal!'); } // Injection judgment
elseif (!is_numeric($id)) { exit('The submitted parameter is illegal!'); } // Numeric judgment
$id = intval($id); // Integer

return $id;
}

// $rptype = 0 表示仅替换 html标记
// $rptype = 1 表示替换 html标记同时去除连续空白字符
// $rptype = 2 表示替换 html标记同时去除所有空白字符
// $rptype = -1 表示仅替换 html危险的标记
function HtmlReplace($str, $rptype = 0) {
$str = stripslashes ( $str );
if ($rptype == 0) {
$str = htmlspecialchars ( $str );
} else if ($rptype == 1) {
$str = htmlspecialchars ( $str );
$str = str_replace ( "　", ' ', $str );
$str = ereg_replace ( "[rnt ]{1,}", ' ', $str );
} else if ($rptype == 2) {
$str = htmlspecialchars ( $str );
$str = str_replace ( "　", '', $str );
$str = ereg_replace ( "[rnt ]", '', $str );
} else {
$str = ereg_replace ( "[rnt ]{1,}", ' ', $str );
$str = eregi_replace ( 'script', 'ｓｃｒｉｐｔ', $str );
$str = eregi_replace ( "<[/]{0,1}(link|meta|ifr|fra)[^>]*>", '', $str );
}
return addslashes ( $str );
}
//递归ddslashes
function daddslashes($string, $force = 0, $strip = FALSE) {
if (! get_magic_quotes_gpc () || $force) {
  if (is_array ( $string )) {
   foreach ( $string as $key => $val ) {
    $string [$key] = daddslashes ( $val, $force );
   }
  } else {
   $string = addslashes ( $strip ? stripslashes ( $string ) : $string );
  }
}
return $string;
}

//递归stripslashes
function dstripslashes($string) {
if (is_array ( $string )) {
  foreach ( $string as $key => $val ) {
   $string [$key] = $this->dstripslashes ( $val );
  }
} else {
  $string = stripslashes ( $string );
}
return $string;
}
/**
* 安全过滤函数
* @param $string 要过滤的字符串
* @return string 返回处理过的字符串
*/
function safe_replace($string) {
$string = str_replace('%20','',$string);
$string = str_replace('%27','',$string);
$string = str_replace('%2527','',$string);
$string = str_replace('*','',$string);
$string = str_replace('"','"',$string);
$string = str_replace("'",'',$string);
$string = str_replace('"','',$string);
$string = str_replace(';','',$string);
$string = str_replace('<','<',$string);
$string = str_replace('>','>',$string);
$string = str_replace("{",'',$string);
$string = str_replace('}','',$string);
return $string;
}

/**
* 使用htmlspecialchars处理字符串或数组
* @param $obj 需要处理的字符串或数组
* @return mixed 返回经htmlspecialchars处理过的字符串或数组
*/
function new_htmlspecialchars($string) {
if(!is_array($string))
return htmlspecialchars($string);
foreach($string as $key => $val)
$string[$key] = new_htmlspecialchars($val);
return $string;
}

//处理禁用HTML但允许换行的内容
function TrimMsg($msg) {
$msg = trim ( stripslashes ( $msg ) );
$msg = nl2br ( htmlspecialchars ( $msg ) );
$msg = str_replace ( " ", " ", $msg );
return addslashes ( $msg );
}

Statement of this Website

The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn

Hot AI Tools

Undresser.AI Undress

AI-powered app for creating realistic nude photos

AI Clothes Remover

Online AI tool for removing clothes from photos.

Undress AI Tool

Undress images for free

Clothoff.io

AI clothes remover

Video Face Swap

Swap faces in any video effortlessly with our completely free AI face swap tool!

Hot Article

Assassin's Creed Shadows: Seashell Riddle Solution

3 weeks ago By DDD

What's New in Windows 11 KB5054979 & How to Fix Update Issues

2 weeks ago By DDD

Where to find the Crane Control Keycard in Atomfall

3 weeks ago By DDD

Assassin's Creed Shadows - How To Find The Blacksmith And Unlock Weapon And Armour Customisation

4 weeks ago By DDD

Roblox: Dead Rails - How To Complete Every Challenge

3 weeks ago By DDD

Hot Tools

Notepad++7.3.1

Easy-to-use and free code editor

SublimeText3 Chinese version

Chinese version, very easy to use

Zend Studio 13.0.1

Powerful PHP integrated development environment

Dreamweaver CS6

Visual web development tools

SublimeText3 Mac version

God-level code editing software (SublimeText3)

Hot Topics

Where is the login entrance for gmail email?

7579

CakePHP Tutorial

1386

What is the format of the account name of steam

win11 activation key permanent

nyt connections hints and answers

111

Related knowledge

PHP 8.4 Installation and Upgrade guide for Ubuntu and Debian Dec 24, 2024 pm 04:42 PM

PHP 8.4 brings several new features, security improvements, and performance improvements with healthy amounts of feature deprecations and removals. This guide explains how to install PHP 8.4 or upgrade to PHP 8.4 on Ubuntu, Debian, or their derivati

How To Set Up Visual Studio Code (VS Code) for PHP Development Dec 20, 2024 am 11:31 AM

Visual Studio Code, also known as VS Code, is a free source code editor — or integrated development environment (IDE) — available for all major operating systems. With a large collection of extensions for many programming languages, VS Code can be c

7 PHP Functions I Regret I Didn't Know Before Nov 13, 2024 am 09:42 AM

If you are an experienced PHP developer, you might have the feeling that you’ve been there and done that already.You have developed a significant number of applications, debugged millions of lines of code, and tweaked a bunch of scripts to achieve op

Explain JSON Web Tokens (JWT) and their use case in PHP APIs. Apr 05, 2025 am 12:04 AM

JWT is an open standard based on JSON, used to securely transmit information between parties, mainly for identity authentication and information exchange. 1. JWT consists of three parts: Header, Payload and Signature. 2. The working principle of JWT includes three steps: generating JWT, verifying JWT and parsing Payload. 3. When using JWT for authentication in PHP, JWT can be generated and verified, and user role and permission information can be included in advanced usage. 4. Common errors include signature verification failure, token expiration, and payload oversized. Debugging skills include using debugging tools and logging. 5. Performance optimization and best practices include using appropriate signature algorithms, setting validity periods reasonably,

How do you parse and process HTML/XML in PHP? Feb 07, 2025 am 11:57 AM

This tutorial demonstrates how to efficiently process XML documents using PHP. XML (eXtensible Markup Language) is a versatile text-based markup language designed for both human readability and machine parsing. It's commonly used for data storage an

PHP Program to Count Vowels in a String Feb 07, 2025 pm 12:12 PM

A string is a sequence of characters, including letters, numbers, and symbols. This tutorial will learn how to calculate the number of vowels in a given string in PHP using different methods. The vowels in English are a, e, i, o, u, and they can be uppercase or lowercase. What is a vowel? Vowels are alphabetic characters that represent a specific pronunciation. There are five vowels in English, including uppercase and lowercase: a, e, i, o, u Example 1 Input: String = "Tutorialspoint" Output: 6 explain The vowels in the string "Tutorialspoint" are u, o, i, a, o, i. There are 6 yuan in total

Explain late static binding in PHP (static::). Apr 03, 2025 am 12:04 AM

Static binding (static::) implements late static binding (LSB) in PHP, allowing calling classes to be referenced in static contexts rather than defining classes. 1) The parsing process is performed at runtime, 2) Look up the call class in the inheritance relationship, 3) It may bring performance overhead.

What are PHP magic methods (__construct, __destruct, __call, __get, __set, etc.) and provide use cases? Apr 03, 2025 am 12:03 AM

What are the magic methods of PHP? PHP's magic methods include: 1.\_\_construct, used to initialize objects; 2.\_\_destruct, used to clean up resources; 3.\_\_call, handle non-existent method calls; 4.\_\_get, implement dynamic attribute access; 5.\_\_set, implement dynamic attribute settings. These methods are automatically called in certain situations, improving code flexibility and efficiency.

See all articles