這篇文章給大家介紹php參數(shù)過濾及php數(shù)據(jù)過濾,包括php提交數(shù)據(jù)過濾的基本原則,php簡單的數(shù)據(jù)過濾,感興趣的朋友一起學(xué)習(xí)吧
下面通過一段代碼給大家介紹php參數(shù)過濾
- class mysafe{
- public $logname;
- public $isshwomsg;
- function __construct(){
- set_error_handler('MyError',E_ALL);
- //-----
- }
- function MyError($errno, $errstr, $errfile, $errline){
- echo "<b>Error number:</b> [$errno],error on line $errline in $errfile<br />";
- exit;
- }
- function wlog($logs){
- if(emptyempty($logname)){
- $this->logname=$_SERVER["DOCUMENT_ROOT"]."/log.htm";
- }
- $Ts=fopen($this->logname,"a+");
- fputs($Ts,$logs."/r/n");
- fclose($Ts);
- }
- function showmsg($msg='',$flag=false){
- $this->isshwomsg=emptyempty($this->isshwomsg) ? false : true;
- if ($this->isshwomsg) {
- echo '<br />--------------------------------------<br />';
- echo $msg;
- echo '<br />--------------------------------------<br />';
- if ($flag) exit;
- }
- }
- function get_filter(){
- $getfilter="'|(and|or)//b.+?(>|<|=|in|like)|/////*.+?//*///|<//s*script//b|//bEXEC//b|UNION.+?SELECT|UPDATE.+?SET|INSERT//s+INTO.+?VALUES|(SELECT|DELETE).+?FROM|(CREATE|ALTER|DROP|TRUNCATE)//s+(TABLE|DATABASE)";
- foreach($_GET as $key=>$value){
- $this->StopAttack($key,$value,$getfilter);
- }
- }
- function post_filter(){
- $postfilter="//b(and|or)//b.{1,6}?(=|>|<|//bin//b|//blike//b)|/////*.+?//*///|<//s*script//b|//bEXEC//b|UNION.+?SELECT|UPDATE.+?SET|INSERT//s+INTO.+?VALUES|(SELECT|DELETE).+?FROM|(CREATE|ALTER|DROP|TRUNCATE)//s+(TABLE|DATABASE)";
- foreach($_POST as $key=>$value){
- $this->StopAttack($key,$value,$postfilter);
- }
- }
- function cookie_filter(){
- $cookiefilter="//b(and|or)//b.{1,6}?(=|>|<|//bin//b|//blike//b)|/////*.+?//*///|<//s*script//b|//bEXEC//b|UNION.+?SELECT|UPDATE.+?SET|INSERT//s+INTO.+?VALUES|(SELECT|DELETE).+?FROM|(CREATE|ALTER|DROP|TRUNCATE)//s+(TABLE|DATABASE)";
- foreach($_COOKIE as $key=>$value){
- $this->StopAttack($key,$value,$cookiefilter);
- }
- }
- //過濾參數(shù)
- function StopAttack($StrFiltKey,$StrFiltValue,$ArrFiltReq){
- if(is_array($StrFiltValue)){
- $StrFiltValue=implode($StrFiltValue);
- }
- if (preg_match("/".$ArrFiltReq."/is",$StrFiltValue)==1){
- $msg="<br><br>操作IP: ".$_SERVER["REMOTE_ADDR"]."<br>操作時間: ".strftime("%Y-%m-%d %H:%M:%S")."<br>操作頁面:".$_SERVER["PHP_SELF"]."<br>提交方式: ".$_SERVER["REQUEST_METHOD"]."<br>提交參數(shù): ".$StrFiltKey."<br>提交數(shù)據(jù): ".$StrFiltValue;
- $this->wlog($msg);
- $this->showmsg($msg);
- exit();
- }
- }
- function filter_value_for_sql($str){
- $str = str_replace("and","",$str);
- $str = str_replace("execute","",$str);
- $str = str_replace("update","",$str);
- $str = str_replace("count","",$str);
- $str = str_replace("chr","",$str);
- $str = str_replace("mid","",$str);
- $str = str_replace("master","",$str);
- $str = str_replace("truncate","",$str);
- $str = str_replace("char","",$str);
- $str = str_replace("declare","",$str);
- $str = str_replace("select","",$str);
- $str = str_replace("create","",$str);
- $str = str_replace("delete","",$str);
- $str = str_replace("insert","",$str);
- $str = str_replace("'","",$str);
- $str = str_replace('"',"",$str);
- $str = str_replace(" ","",$str);
- $str = str_replace("or","",$str);
- $str = str_replace("=","",$str);
- $str = str_replace(" ","",$str);
- return $str;
- }
- //class end
- }
下面給大家介紹下PHP數(shù)據(jù)過濾
1、php提交數(shù)據(jù)過濾的基本原則
1)提交變量進數(shù)據(jù)庫時,我們必須使用addslashes()進行過濾,像我們的注入問題,一個addslashes()也就搞定了。其實在涉及到變量取值時,intval()函數(shù)對字符串的過濾也是個不錯的選擇。
2)在php.ini中開啟magic_quotes_gpc和magic_quotes_runtime。magic_quotes_gpc可以把get,post,cookie里的引號變?yōu)樾备堋agic_quotes_runtime對于進出數(shù)據(jù)庫的數(shù)據(jù)可以起到格式話的作用。其實,早在以前注入很瘋狂時,這個參數(shù)就很流行了。
3)在使用系統(tǒng)函數(shù)時,必須使用escapeshellarg(),escapeshellcmd()參數(shù)去過濾,這樣你也就可以放心的使用系統(tǒng)函數(shù)。
4)對于跨站,strip_tags(),htmlspecialchars()兩個參數(shù)都不錯,對于用戶提交的的帶有html和php的標(biāo)記都將進行轉(zhuǎn)換。比如尖括號"<"就將轉(zhuǎn)化為 "<"這樣無害的字符。
$new = htmlspecialchars("Test", ENT_QUOTES);
strip_tags($text,);
5)對于相關(guān)函數(shù)的過濾,就像先前的include(),unlink,fopen()等等,只要你把你所要執(zhí)行操作的變量指定好或者對相關(guān)字符過濾嚴(yán)密,我想這樣也就無懈可擊了。
2、PHP簡單的數(shù)據(jù)過濾
1)入庫: trim($str),addslashes($str)
2)出庫: stripslashes($str)
3)顯示: htmlspecialchars(nl2br($str))
新聞熱點
疑難解答
