简体中文(ZH-CN) English(EN) 繁体中文(ZH-TW) 日本語(JA) 한국어(KO) Melayu(MS) Français(FR) Deutsch(DE)
Home > Backend Development > PHP Tutorial > body text

PHP simple parameter filtering code learning

WBOY
Release: 2016-07-25 08:58:42
Original
1153 people have browsed it
  2. /**
  3. * Parameter filtering code
  4. * edit bbs.it-home.org
  5. */
  6. if (@get_magic_quotes_gpc ()) {
  7. $_GET = sec ( $_GET );
  8. $_POST = sec ( $_POST );
  9. $_COOKIE = sec ( $_COOKIE );
  10. $_FILES = sec ( $_FILES );
  11. }
  12. $_SERVER = sec ( $_SERVER );
  13. function sec(&$array) {
  14. //If it is an array, traverse the array and call it recursively
  15. if (is_array ( $array )) {
  16. foreach ( $array as $k => $v ) {
  17. $array [$k] = sec ( $v );
  18. }
  19. } else if (is_string ( $array )) {
  20. //Use the addslashes function to process
  21. $array = addslashes ( $array );
  22. } else if (is_numeric ( $array )) {
  23. $array = intval ( $array );
  24. }
  25. return $array;
  26. }
  27. ?>
Copy code

1. Judgment of integer parameters When the input parameter YY is an integer, usually the original SQL statement in abc.asp is roughly as follows: select * from table name where field=YY, so you can use the following steps to test whether SQL injection exists. ①HTTP://xxx.xxx.xxx/abc.asp?p=YY’ (with a single quote attached), at this time the SQL statement in abc.ASP becomes select * from table name where field=YY’, abc.asp runs abnormally; ②HTTP://xxx.xxx.xxx/abc.asp?p=YY and 1=1, abc.asp runs normally, and the results are the same as HTTP://xxx.xxx.xxx/abc.asp?p=YY ; ③HTTP://xxx.xxx.xxx/abc.asp?p=YY and 1=2, abc.asp runs abnormally; If the above three steps are fully satisfied, there must be a SQL injection vulnerability in abc.asp.

An integer filter function, the code is as follows:

  3. function num_check($id) {

  4. if (! $id) {
  5. die ( 'Parameter cannot be empty!' );
  6. } // Whether it is empty Judgment
  7. else if (inject_check ( $id )) {
  8. die ( 'illegal parameter' );
  9. } // Injection judgment
  10. else if (! is_numetic ( $id )) {
  11. die ( 'illegal parameter' );
  12. }
  13. //Number judgment
  14. $id = intval ($id);
  15. //Integerization
  16. return $id;
  17. }

  18. //Character filter function

  19. function str_check($str ) {
  20. if (inject_check ( $str )) {
  21. die ( 'illegal parameter' );
  22. }
  23. //Injection judgment
  24. $str = htmlspecialchars ( $str );
  25. //Convert html
  26. return $str;
  27. }
  28. function search_check($str) {
  29. $str = str_replace ( "_", "_", $str );
  30. //Filter out "_"
  31. $str = str_replace ( "%", "%", $ str );
  32. //Filter out "%"
  33. $str = htmlspecialchars ( $str );
  34. //Convert html
  35. return $str;
  36. }
  37. //Form filter function
  38. function post_check($str, $min, $max) {
  39. if (isset ( $min ) && strlen ( $str ) < $min) {
  40. die ( 'minimum $min bytes' );
  41. } else if (isset ( $max ) && strlen ( $ str ) > $max) {
  42. die ( 'Up to $max bytes' );
  43. }
  44. return stripslashes_array ( $str );
  45. }
  46. ?>

Copy code

When the input parameter YY is a string, usually the original SQL statement in abc.asp is roughly as follows: select * from table name where field='YY', so you can use the following steps to test whether SQL injection exists. ①HTTP://xxx.xxx.xxx/abc.asp?p=YY’ (with a single quote attached), at this time the SQL statement in abc.ASP becomes select * from table name where field=YY’, abc.asp runs abnormally; ②HTTP://xxx.xxx.xxx/abc.asp?p=YY&;nb … 39;1'='1', abc.asp runs normally and is the same as HTTP://xxx.xxx.xxx/abc.asp ?p=YY has the same running results; ③HTTP://xxx.xxx.xxx/abc.asp?p=YY&;nb … 39;1'='2', abc.asp runs abnormally; If the above three steps are fully satisfied, there must be a SQL injection vulnerability in abc.asp.

Attach a function to prevent sql injection:

  2. //Anti-injection function
  3. function inject_check($sql_str) {
  4. return eregi ( 'select|inert|update|delete|'|/*|*|../|./ |UNION|into|load_file|outfile', $sql_str );
  5. // Filter to prevent injection into bbs.it-home.org
  6. }
  7. function stripslashes_array(&$array) {
  8. if (is_array ( $array )) {
  9. foreach ( $array as $k => $v ) {
  10. $array [$k] = stripslashes_array ( $v );
  11. }
  12. } else if (is_string ( $array )) {
  13. $array = stripslashes ( $ array );
  14. }
  15. return $array;
  16. }
  17. ?>
Copy code


Related labels:
php简单的参数过滤代码学习
source:php.cn
Previous article:The core code of the PHP lottery program (to draw three lucky viewers) Next article:Summary of some methods of php regular expressions
Statement of this Website
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn
Latest Articles by Author
Latest Issues
function_exists() cannot determine the custom function Function test () {return true;} if (function_exists ('test')) {echo "test is function...
From 2024-04-29 11:01:01
0
2
1457
How to display the mobile version of Google Chrome Hello teacher, how can I change Google Chrome into a mobile version?
From 2024-04-23 00:22:19
0
10
1622
The child window operates the parent window, but the output does not respond. The first two sentences are executable, but the last sentence cannot be implemented.
From 2024-04-19 15:37:47
0
1
1385
There is no output in the parent window document.onclick = function(){ window.opener.document.write('I am the output of the child ...
From 2024-04-18 23:52:34
0
1
1305
Where is the courseware about CSS mind mapping? Courseware
From 2024-04-16 10:10:18
0
0
1357
Related Topics
More>
Popular Recommendations
Popular Tutorials
More>
Related Tutorials
Popular Recommendations
Latest courses
Latest Downloads
More>
Web Effects
Website Source Code
Website Materials
Front End Template
About us Disclaimer Sitemap
php.cn:Public welfare online PHP training,Help PHP learners grow quickly!