简体中文(ZH-CN) English(EN) 繁体中文(ZH-TW) 日本語(JA) 한국어(KO) Melayu(MS) Français(FR) Deutsch(DE)
Home > Backend Development > PHP Tutorial > body text

Summary of filtering special dangerous characters in php

高洛峰
Release: 2016-11-29 15:20:05
Original
1711 people have browsed it

在网站中表单提交或url获取值我们都可能碰到一些安全问题,下面我总结了一些常用的过滤一些危险特殊字符的解决方法,一般,对于传进来的字符,php可以用addslashes函数处理一遍(要get_magic_quotes_gpc()为假才处理,不然就重复转义了!),这样就能达到一定程度的安全要求,比如这样,代码如下:

if (!get_magic_quotes_gpc()) {      

     add_slashes($_GET);      

     add_slashes($_POST);      

     add_slashes($_COOKIE);      

}      

      

function add_slashes($string) {      

     if (is_array($string)) {      

         foreach ($string as $key => $value) {      

             $string[$key] = add_slashes($value);      

         }      

     } else {      

         $string = addslashes($string);      

     }  

     return $string;      

但是还可以更进一步进行重新编码,解码,代码如下:

//编码 

function htmlencode($str) {       

      if(emptyempty($str)) return;  

      if($str=="") return $str;        

      $str=trim($str);  

      $str=str_replace("&","&",$str);  

      $str=str_replace(">",">",$str);  

      $str=str_replace("<","&lt;",$str);  

      $str=str_replace(chr(32),"&nbsp;",$str);  

      $str=str_replace(chr(9),"&nbsp;",$str);  

      $str=str_replace(chr(34),"&",$str);  

      $str=str_replace(chr(39),"&#39;",$str);  

      $str=str_replace(chr(13),"<br />",$str);  

      $str=str_replace("'","''",$str);  

      $str=str_replace("select","sel&#101;ct",$str);  

      $str=str_replace("join","jo&#105;n",$str);  

      $str=str_replace("union","un&#105;on",$str);  

      $str=str_replace("where","wh&#101;re",$str);  

      $str=str_replace("insert","ins&#101;rt",$str);  

      $str=str_replace("delete","del&#101;te",$str);  

      $str=str_replace("update","up&#100;ate",$str);  

      $str=str_replace("like","lik&#101;",$str);  

      $str=str_replace("drop","dro&#112;",$str);  

      $str=str_replace("create","cr&#101;ate",$str);  

      $str=str_replace("modify","mod&#105;fy",$str);  

      $str=str_replace("rename","ren&#097;me",$str);  

      $str=str_replace("alter","alt&#101;r",$str);  

      $str=str_replace("cast","ca&#115;",$str);        

      return $str;   

这样就能更放心的对外来数据进行入库处理了,但是从数据库取出来,在前台显示的时候,必须重新解码一下,代码如下:

//解码 

 

function htmldecode($str) {       

      if(emptyempty($str)) return;  

      if($str=="")  return $str;  

      $str=str_replace("sel&#101;ct","select",$str);  

      $str=str_replace("jo&#105;n","join",$str);  

      $str=str_replace("un&#105;on","union",$str);  

      $str=str_replace("wh&#101;re","where",$str);  

      $str=str_replace("ins&#101;rt","insert",$str);  

      $str=str_replace("del&#101;te","delete",$str);  

      $str=str_replace("up&#100;ate","update",$str);  

      $str=str_replace("lik&#101;","like",$str);  

      $str=str_replace("dro&#112;","drop",$str);  

      $str=str_replace("cr&#101;ate","create",$str);  

      $str=str_replace("mod&#105;fy","modify",$str);  

      $str=str_replace("ren&#097;me","rename",$str);  

      $str=str_replace("alt&#101;r","alter",$str);  

      $str=str_replace("ca&#115;","cast",$str);  

      $str=str_replace("&amp;","&",$str);  

      $str=str_replace("&gt;",">",$str);  

      $str=str_replace("&lt;","<",$str);  

      $str=str_replace("&nbsp;",chr(32),$str);  

      $str=str_replace("&nbsp;",chr(9),$str);  

      $str=str_replace("&",chr(34),$str);  

      $str=str_replace("&#39;",chr(39),$str);  

      $str=str_replace("<br />",chr(13),$str);  

      $str=str_replace("''","'",$str);   //开源代码phpfensi.com     

      return $str;  

虽然多了一步编码,解码的过程,但是安全方面,会更进一步,要如何做,自己取舍吧.

再附一些代码如下:

function safe_replace($string) { 

 $string = str_replace(' ','',$string); 

 $string = str_replace(''','',$string); 

 $string = str_replace(''','',$string); 

 $string = str_replace('*','',$string); 

 $string = str_replace('"','"',$string); 

 $string = str_replace("'",'',$string); 

 $string = str_replace('"','',$string); 

 $string = str_replace(';','',$string); 

 $string = str_replace('<','<',$string);

$string = str_replace('>','>',$string); 

$string = str_replace("{",'',$string); 

$string = str_replace('}','',$string); 

return $string; 

 

//更全用的的CODES方法: 

 

//电视安全是以使用  

function htmldecode($str) {  

 if (emptyempty ($str) || "" == $ str) {

return "";  

}

$str = strip_tags ($str);  

$str = htmlspecialchars ($str);  

$str = nl2br ($str);  

$str = str_replace ("?", "", $str);  

$str = str_replace ("*", "", $str);  

$str = str_replace ("!", "", $str);  

$str = str_replace ("~", "", $str);  

$str = str_replace ("$", "", $str);  

$str = str_replace ("%", "", $str);  

$str = str_replace ("^", "", $str);  

$str = str_replace ("^", "", $str);  

$str = str_replace ("select", "", $str);  

$str = str_replace ("join", "", $str);  

$str = str_replace ("union", "", $str);  

$str = str_replace ("where", "", $str);  

$str = str_replace ("insert", "", $str);  

$str = str_replace ("delete", "", $str);  

$str = str_replace ("update", "", $str);  

$str = str_replace ("like", "", $str);  

$str = str_replace ("drop", "", $str);  

$str = str_replace ("create", "", $str);  

$str = str_replace ("modify", "", $str);  

$str = str_replace ("rename", "", $str);  

$str = str_replace ("alter", "", $str);  

$str = str_replace ("cast", "", $str);  

   

 $farr = array ("//s+/", // 电视多余的答页  

"/<(//?)(img|script|i?frame|style|html|body|title| link|meta|/?|/%)([^>]*?)>/isU", // filter 

"/(<[^>]*)on[a-zA-Z]+/s*=([^>]*>)/isU" )// 结果javascript的on事件  

;  

 $tarr = array (" ", "", // 要要电影电影的不是电视设计,这是可以留空  

"" );  

return $str;  

}


Related labels:
php
source:php.cn
Previous article:PHP generates a secure and random password program Next article:PHP filters dangerous code in form submissions
Statement of this Website
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn
Latest Articles by Author
Latest Issues
PHP arrays obtained from URL parameters do not behave as expected I have a URL parameter that contains the category ID and I want to treat it as an array li...
From 2024-04-06 22:09:02
0
1
1428
Where should I place CustomLog directive in apache I'm using php:7.2-apachedocker. I need to disable health check url login access log. Based...
From 2024-04-06 22:03:59
0
1
990
What is the format of the variables in the return value? I am a new learner of php. I found a piece of code: if($x<time()){return[false,'error']...
From 2024-04-06 21:55:20
0
1
778
Problems encountered when using opentbs to generate odt files: values ​​of the same key are displayed in the same row instead of separate columns. I'm using a library called OpenTbs to create odt using PHP, I'm using it because columns a...
From 2024-04-06 20:18:18
0
1
483
Group MySQL results by ID for looping over I have a table with flight data in mysql. I'm writing a php code that will group and displ...
From 2024-04-06 17:27:56
0
1
406
Related Topics
More>
Popular Recommendations
Popular Tutorials
More>
Related Tutorials
Popular Recommendations
Latest courses
Latest Downloads
More>
Web Effects
Website Source Code
Website Materials
Front End Template
About us Disclaimer Sitemap
php.cn:Public welfare online PHP training,Help PHP learners grow quickly!