Home > Article > Backend Development > php过滤特殊危险字符的总结_PHP教程

php过滤特殊危险字符的总结_PHP教程

WBOYOriginal: 2016-07-13 10:47:58914browse

在网站中表单提交或url获取值我们都可能碰到一些安全问题，下面我总结了一些常用的过滤一些危险特殊字符的解决方法，希望此教程对各位有帮助。

一般，对于传进来的字符，php可以用addslashes函数处理一遍（要get_magic_quotes_gpc()为假才处理，不然就重复转义了！），这样就能达到一定程度的安全要求
比如这样

代码如下	复制代码
if (!get_magic_quotes_gpc()) { add_slashes($_GET); add_slashes($_POST); add_slashes($_COOKIE); } function add_slashes($string) { if (is_array($string)) { foreach ($string as $key => $value) { $string[$key] = add_slashes($value); } } else { $string = addslashes($string); } return $string; }

但是还可以更进一步进行重新编码，解码，如下：

代码如下

复制代码

//编码

function htmlencode($str) {
      if(empty($str)) return;
      if($str=="") return $str;
      $str=trim($str);
      $str=str_replace("&","&",$str);
      $str=str_replace(">",">",$str);
      $str=str_replace("<","<",$str);
$str=str_replace(chr(32)," ",$str);
$str=str_replace(chr(9)," ",$str);
$str=str_replace(chr(34),"&",$str);
$str=str_replace(chr(39),"'",$str);
$str=str_replace(chr(13),"
",$str);
      $str=str_replace("'","''",$str);
      $str=str_replace("select","select",$str);
      $str=str_replace("join","join",$str);
      $str=str_replace("union","union",$str);
      $str=str_replace("where","where",$str);
      $str=str_replace("insert","insert",$str);
      $str=str_replace("delete","delete",$str);
      $str=str_replace("update","update",$str);
      $str=str_replace("like","like",$str);
      $str=str_replace("drop","drop",$str);
      $str=str_replace("create","create",$str);
      $str=str_replace("modify","modify",$str);
      $str=str_replace("rename","rename",$str);
      $str=str_replace("alter","alter",$str);
      $str=str_replace("cast","cas",$str);
      return $str;
}

这样就能更放心的对外来数据进行入库处理了，但是从数据库取出来，在前台显示的时候，必须重新解码一下：

代码如下

复制代码

//解码

function htmldecode($str) {
      if(empty($str)) return;
      if($str=="") return $str;
      $str=str_replace("select","select",$str);
      $str=str_replace("join","join",$str);
      $str=str_replace("union","union",$str);
      $str=str_replace("where","where",$str);
      $str=str_replace("insert","insert",$str);
      $str=str_replace("delete","delete",$str);
      $str=str_replace("update","update",$str);
      $str=str_replace("like","like",$str);
      $str=str_replace("drop","drop",$str);
      $str=str_replace("create","create",$str);
      $str=str_replace("modify","modify",$str);
      $str=str_replace("rename","rename",$str);
      $str=str_replace("alter","alter",$str);
      $str=str_replace("cas","cast",$str);
      $str=str_replace("&","&",$str);
      $str=str_replace(">",">",$str);
      $str=str_replace("<","<",$str);
$str=str_replace(" ",chr(32),$str);
$str=str_replace(" ",chr(9),$str);
$str=str_replace("&",chr(34),$str);
$str=str_replace("'",chr(39),$str);
$str=str_replace("
",chr(13),$str);
      $str=str_replace("''","'",$str);
      return $str;
}

虽然多了一步编码，解码的过程，但是安全方面，会更进一步，要如何做，自己取舍吧。

再附一些

代码如下

复制代码

function safe_replace($string) {
$string = str_replace(' ','',$string);
$string = str_replace(''','',$string);
$string = str_replace(''','',$string);
$string = str_replace('*','',$string);
$string = str_replace('"','"',$string);
$string = str_replace("'",'',$string);
$string = str_replace('"','',$string);
$string = str_replace(';','',$string);
$string = str_replace(' $string = str_replace('>','>',$string);
$string = str_replace("{",'',$string);
$string = str_replace('}','',$string);
return $string;
}

更全面的

代码如下

复制代码

//处理提交的数据
function htmldecode($str) {
if (empty ( $str ) || "" == $str) {
return "";
}

$str = strip_tags ( $str );
$str = htmlspecialchars ( $str );
$str = nl2br ( $str );
$str = str_replace ( "?", "", $str );
$str = str_replace ( "*", "", $str );
$str = str_replace ( "!", "", $str );
$str = str_replace ( "~", "", $str );
$str = str_replace ( "$", "", $str );
$str = str_replace ( "%", "", $str );
$str = str_replace ( "^", "", $str );
$str = str_replace ( "^", "", $str );
$str = str_replace ( "select", "", $str );
$str = str_replace ( "join", "", $str );
$str = str_replace ( "union", "", $str );
$str = str_replace ( "where", "", $str );
$str = str_replace ( "insert", "", $str );
$str = str_replace ( "delete", "", $str );
$str = str_replace ( "update", "", $str );
$str = str_replace ( "like", "", $str );
$str = str_replace ( "drop", "", $str );
$str = str_replace ( "create", "", $str );
$str = str_replace ( "modify", "", $str );
$str = str_replace ( "rename", "", $str );
$str = str_replace ( "alter", "", $str );
$str = str_replace ( "cast", "", $str );

$farr = array ("//s+/", //过滤多余的空白
"/]*?)>/isU", //过滤 "/(]*)on[a-zA-Z]+/s*=([^>]*>)/isU" )//过滤javascript的on事件
;
$tarr = array (" ", "", //如果要直接清除不安全的标签，这里可以留空
"" );
return $str;
}

Statement：

The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn

Previous article：PHP验证码生成程序几种方法_PHP教程Next article：浅析php中open_basedir存在安全隐患_PHP教程

See more

php过滤特殊危险字符的总结_PHP教程

Related articles