php过滤特殊危险字符的总结
在网站中表单提交或url获取值我们都可能碰到一些安全问题,下面我总结了一些常用的过滤一些危险特殊字符的解决方法,一般,对于传进来的字符,php可以用addslashes函数处理一遍(要get_magic_quotes_gpc()为假才处理,不然就重复转义了!),这样就能达到一定程度的安全要求,比如这样,代码如下:
if (!get_magic_quotes_gpc()) { add_slashes( $_GET ); add_slashes( $_POST ); add_slashes( $_COOKIE ); } function add_slashes( $string ) { if ( is_array ( $string )) { foreach ( $string as $key => $value ) { $string [ $key ] = add_slashes( $value ); } } else { $string = addslashes ( $string ); } return $string ; }但是还可以更进一步进行重新编码,解码,代码如下:
//编码
function htmlencode( $str ) { if ( empty empty ( $str )) return ; if ( $str == "" ) return $str ; $str =trim( $str ); $str = str_replace ( "&" , "&amp;" , $str ); $str = str_replace ( ">" , "&gt;" , $str ); $str = str_replace ( "<" , "&lt;" , $str ); $str = str_replace ( chr (32), "&nbsp;" , $str ); $str = str_replace ( chr (9), "&nbsp;" , $str ); $str = str_replace ( chr (34), "&" , $str ); $str = str_replace ( chr (39), "&#39;" , $str ); $str = str_replace ( chr (13), "<br />" , $str ); $str = str_replace ( "'" , "''" , $str ); $str = str_replace ( "select" , "sel&#101;ct" , $str ); $str = str_replace ( "join" , "jo&#105;n" , $str ); $str = str_replace ( "union" , "un&#105;on" , $str ); $str = str_replace ( "where" , "wh&#101;re" , $str ); $str = str_replace ( "insert" , "ins&#101;rt" , $str ); $str = str_replace ( "delete" , "del&#101;te" , $str ); $str = str_replace ( "update" , "up&#100;ate" , $str ); $str = str_replace ( "like" , "lik&#101;" , $str ); $str = str_replace ( "drop" , "dro&#112;" , $str ); $str = str_replace ( "create" , "cr&#101;ate" , $str ); $str = str_replace ( "modify" , "mod&#105;fy" , $str ); $str = str_replace ( "rename" , "ren&#097;me" , $str ); $str = str_replace ( "alter" , "alt&#101;r" , $str ); $str = str_replace ( "cast" , "ca&#115;" , $str ); return $str ; }这样就能更放心的对外来数据进行入库处理了,但是从数据库取出来,在前台显示的时候,必须重新解码一下,代码如下:
//解码 function htmldecode( $str ) { if ( empty empty ( $str )) return ; if ( $str == "" ) return $str ; $str = str_replace ( "sel&#101;ct" , "select" , $str ); $str = str_replace ( "jo&#105;n" , "join" , $str ); $str = str_replace ( "un&#105;on" , "union" , $str ); $str = str_replace ( "wh&#101;re" , "where" , $str ); $str = str_replace ( "ins&#101;rt" , "insert" , $str ); $str = str_replace ( "del&#101;te" , "delete" , $str ); $str = str_replace ( "up&#100;ate" , "update" , $str ); $str = str_replace ( "lik&#101;" , "like" , $str ); $str = str_replace ( "dro&#112;" , "drop" , $str ); $str = str_replace ( "cr&#101;ate" , "create" , $str ); $str = str_replace ( "mod&#105;fy" , "modify" , $str ); $str = str_replace ( "ren&#097;me" , "rename" , $str ); $str = str_replace ( "alt&#101;r" , "alter" , $str ); $str = str_replace ( "ca&#115;" , "cast" , $str ); $str = str_replace ( "&amp;" , "&" , $str ); $str = str_replace ( "&gt;" , ">" , $str ); $str = str_replace ( "&lt;" , "<" , $str ); $str = str_replace ( "&nbsp;" , chr (32), $str ); $str = str_replace ( "&nbsp;" , chr (9), $str ); $str = str_replace ( "&" , chr (34), $str ); $str = str_replace ( "&#39;" , chr (39), $str ); $str = str_replace ( "<br />" , chr (13), $str ); $str = str_replace ( "''" , "'" , $str ); //开源代码phpfensi.com return $str ; }虽然多了一步编码,解码的过程,但是安全方面,会更进一步,要如何做,自己取舍吧.
再附一些代码如下:
function safe_replace( $string ) { $string = str_replace ( ' ' , '' , $string ); $string = str_replace ( '' ',' ', $string ); $string = str_replace ( '' ',' ', $string ); $string = str_replace ( '*' , '' , $string ); $string = str_replace ( '"' , '"' , $string ); $string = str_replace ( "'" ,'', $string ); $string = str_replace ( '"' , '' , $string ); $string = str_replace ( ';' , '' , $string ); $string = str_replace ( '<' , '<' , $string ); $string = str_replace ( '>' , '>' , $string ); $string = str_replace ( "{" , '' , $string ); $string = str_replace ( '}' , '' , $string ); return $string ; } //更全面的代码如下: //处理提交的数据 function htmldecode( $str ) { if ( empty empty ( $str ) || "" == $str ) { return "" ; } $str = strip_tags ( $str ); $str = htmlspecialchars ( $str ); $str = nl2br ( $str ); $str = str_replace ( "?" , "" , $str ); $str = str_replace ( "*" , "" , $str ); $str = str_replace ( "!" , "" , $str ); $str = str_replace ( "~" , "" , $str ); $str = str_replace ( "$" , "" , $str ); $str = str_replace ( "%" , "" , $str ); $str = str_replace ( "^" , "" , $str ); $str = str_replace ( "^" , "" , $str ); $str = str_replace ( "select" , "" , $str ); $str = str_replace ( "join" , "" , $str ); $str = str_replace ( "union" , "" , $str ); $str = str_replace ( "where" , "" , $str ); $str = str_replace ( "insert" , "" , $str ); $str = str_replace ( "delete" , "" , $str ); $str = str_replace ( "update" , "" , $str ); $str = str_replace ( "like" , "" , $str ); $str = str_replace ( "drop" , "" , $str ); $str = str_replace ( "create" , "" , $str ); $str = str_replace ( "modify" , "" , $str ); $str = str_replace ( "rename" , "" , $str ); $str = str_replace ( "alter" , "" , $str ); $str = str_replace ( "cast" , "" , $str ); $farr = array ( "//s+/" , //过滤多余的空白 "/<(//?)(img|script|i?frame|style|html|body|title|link|meta|/?|/%)([^>]*?)>/isU" , //过滤 <script 防止引入恶意内容或恶意代码,如果不需要插入flash等,还可以加入<object的过滤 "/(<[^>]*)on[a-zA-Z]+/s*=([^>]*>)/isU" ) //过滤javascript的on事件 ; $tarr = array ( " " , "" , //如果要直接清除不安全的标签,这里可以留空 "" ); return $str ; }查看更多关于php过滤特殊危险字符的总结 - php函数的详细内容...
声明:本文来自网络,不代表【好得很程序员自学网】立场,转载请注明出处:http://haodehen.cn/did30818