/*ansic code-Url code table: http://www.w3school.com.cn/tags/html_ref_urlencode.html
-------------------------------------------------- -------------------------------------------------- -------------
1. Validate and filter user input
Even the most common alphanumeric input may be dangerous. It is easy to list a few Characters that cause security issues:
!$ ^ & * ( ) ~ [ ] | { } ' " ; < > ? - `
Characters that may have special meaning in the database :
'" ;
There are also some non-printing characters:
character x00 or ASCII 0, NULL or FALSE
character x10 and x13, Or ASCII 10 and 13, n r
character x1a or ASCII 26, indicating the end of the file
Entering the wrong parameter type may also cause unexpected errors in the program.
Entering too many parameter values may lead to overflow and other errors.
2. Filtering of file paths and names
File names cannot contain binary data, otherwise it may cause problems.
Some systems allow Unicode multi-byte encoded file names, but this should be avoided and ASCII characters should be used instead.
Although Unix systems can use almost any symbol in the file name setting, you should try to use - and _ and avoid using other characters.
At the same time, the length of the file name needs to be limited.
3. Prevent SQL injection
Check the type of user input. When the user input is a number, you can use the following method:
Use the is_int() function (or is_integer( ) or is_long() function)
Use gettype() function
Use intval() function
Use settype() function
to check user input characters The length of the string is determined using the strlen() function.
To check whether the date or time is valid, you can use the strtotime() function
4. Prevent XSS attacks
A common method for xss attacks is to inject HTML elements to execute js Scripts, PHP has built-in some defensive functions (such as htmlentities or htmlspecialchars)
5. Filter URLs submitted by users
If the user is allowed to enter a URL to call an image or link, You need to ensure that he does not pass in non-http protocols such as javascript: or vbscript: or data:.
You can use PHP's built-in function parse_url() function to split the URL and then make a judgment.
6. Prevent remote execution--The following table lists some characters related to Shell:
Remote execution usually uses PHP code to execute such as eval() function, or calls Command execution such as exec(), passthru(), proc_open(), shell_exec(), system() or popen().
Inject PHP code: PHP provides developers with many ways to call PHP scripts. We need to pay attention to filtering user-controllable data.
7. Shell command execution
PHP provides some functions that can directly execute system commands, such as the exec() function or ` (backtick).
PHP's safe mode will provide some protection, but there are also some ways to bypass the safe mode:
1. Upload a Perl script, or Python or Ruby, etc., to the environment supported by the server. Executing scripts in other languages can bypass PHP's safe mode.
2. Use the buffer overflow vulnerability of the system to bypass the safe mode.
Some characters related to Shell:
Name Character ASCII Hexadecimal URL encoding HTML encoding
Line feed 10 x0a
Exclamation mark! 33 x21 ! !
Double quote " 34 x22 " " or "
Dollar sign $ 36 x24 $ $
Connector & 38 x26 & & or amp
Single quote ' 39 x27 ' '
Left bracket ( 40 x28 ( (
right bracket) 41 x29 ) )
asterisk * 42 x2a * *
hyphen - 45 x2d - -
Semicolon; 59 x3b ; ;
Left angle bracket < 60 x3c < << <
Right angle bracket > 62 x3e > >
Question mark ? 63 x3f ? ?
left square bracket [ 91 x5b [ [
backslash 92 x5c \
right square bracket] 93 x5d ] ]
caret ^ 94 x5e ^ ^
backtick ` 96 x60 ` `
left curly brace { 123 x7b { {
pipe character | 124 x7c | |
right curly brace} 125 x7d } }
tilde ~ 126 x7e ~ ~
------------------------------------------------ -------------------------------------------------- ---------------
Security filtering function code*/
/**
* Safe filtering input [jb]
*/
function check_str($string, $isurl = false)
{
$string= preg_replace('/[\x00-\x08\x0B\x0C\x0E-\x1F]/ ','',$string); //Remove control characters
$string= str_replace(array("
empty($isurl)&& $string =preg_replace("/&(?!(#[0-9] |[a-z] );)/si",'&',$string);//Inside HTML You can use xx; to encode some characters, such as (space), ? Unicode characters, etc. A(?!B) means that A is not followed by B, so the author wants to retain ? similar HTML encoding characters and remove other The problem character is
$string= str_replace(array("
$string= str_replace(array('"'," '","t",' '),array('"',''','',' '),$string);
returntrim($string);
}
/**
* Security filtering class - filter javascript, css, iframes, object and other unsafe parameters with high filtering level
* @param string $value The value that needs to be filtered
* @ return string
*/
function filter_script($value) {
$value=preg_replace("/(javascript: )?on(click|load|key|mouse|error|abort|move|unload|change|dblclick|move|reset|resize|submit)/i","&111n\2",$value);
$value= preg_replace("/(.*?)/si","",$value);
$value= preg_replace("/(.*?)< /iframe>/si","",$value);
$value= preg_replace ("//iesU", '', $value);
return$value;
}
/**
* Security filtering class - filtering HTML tags
* @param string $value The value to be filtered
* @return string
*/
function filter_html($value) {
if(function_exists('htmlspecialchars ')) return htmlspecialchars($value);
returnstr_replace(array("&", '"', "'", "<",">"), array("&", " "", "'","<", ">"), $value);
}
/**
* Security filtering class - underline incoming data to prevent SQL injection
* @param string $value The value to be filtered
* @return string
*/
function filter_sql($value) {
$sql= array("select", 'insert', "update", "delete","'", "/*",". ./", "./","union", "into", "load_file","outfile");
$sql_re=array("","","",""," ","","","","","","","");
returnstr_replace($sql, $sql_re, $value);
}
/**
* Security filtering class - general data filtering
* @param string $value Variables that need to be filtered
* @return string|array
*/
function filter_escape($value) {
if(is_array($value)) {
foreach($value as $k => $v) {
$value[$k]= self::fliter_str($v);
}
}else {
$value= self::fliter_str($value);
}
return$value;
}
/**
* Security filtering class - string filtering to filter special harmful characters
* @param string $value The value to be filtered
* @return string
*/
function filter_str($value) {
$badstr= array("