php 过滤特殊字符及sql防注入代码
<?php
//方法一
//过滤',",sql语名
addslashes();
//方法二,去除所有html标签
strip_tags();
//方法三过滤可能产生代码
function php_sava($str)
{
$farr = array(
"/s+/",
"/<(/?)(script|i?frame|style|html|body|title|link|meta|?|%)([^>]*?)>/isU",
"/(<[^>]*)on[a-zA-Z]+s*=([^>]*>)/isU",
);
$tarr = array(
" ",
"<\1\2\3>", //如果要直接清除不安全的标签,这里可以留空
"\1\2",
);
$str = preg_replace( $farr,$tarr,$str);
return $str;
}
//php sql防注入代码
class sqlin
{
//dowith_sql($value)
function dowith_sql($str)
{
$str = str_replace("and","",$str);
$str = str_replace("execute","",$str);
$str = str_replace("update","",$str);
$str = str_replace("count","",$str);
$str = str_replace("chr","",$str);
$str = str_replace("mid","",$str);
$str = str_replace("master","",$str);
$str = str_replace("truncate","",$str);
$str = str_replace("char","",$str);
$str = str_replace("declare","",$str);
$str = str_replace("select","",$str);
$str = str_replace("create","",$str);
$str = str_replace("delete","",$str);
$str = str_replace("insert","",$str);
$str = str_replace("'","",$str);
$str = str_replace(""","",$str);
$str = str_replace(" ","",$str);
$str = str_replace("or","",$str);
$str = str_replace("=","",$str);
$str = str_replace("%20","",$str);
//echo $str;
return $str;
}
//aticle()防SQL注入函数//php教程
function sqlin()
{
foreach ($_GET as $key=>$value)
{
$_GET[$key]=$this->dowith_sql($value);
}
foreach ($_POST as $key=>$value)
{
$_POST[$key]=$this->dowith_sql($value);
}
}
}
$dbsql=new sqlin();
?>
===================================================================================
使用方式:
将以上代码复制新建一个sqlin.php的文件,然后包含在有GET或者POST数据接收的页面
原理:
将所有的SQL关键字替换为空
本代码在留言本中不能使用,若要在留言本中使用请替换其中的
.......
$str = str_replace("and","",$str);
到
$str = str_replace("%20","",$str);
...
的代码为:
$str = str_replace("and","and",$str);
$str = str_replace("execute","execute",$str);
$str = str_replace("update","update",$str);
$str = str_replace("count","count",$str);
$str = str_replace("chr","chr",$str);
$str = str_replace("mid","mid",$str);
$str = str_replace("master","master",$str);
$str = str_replace("truncate","truncate",$str);
$str = str_replace("char","char",$str);
$str = str_replace("declare","declare",$str);
$str = str_replace("select","select",$str);
$str = str_replace("create","create",$str);
$str = str_replace("delete","delete",$str);
$str = str_replace("insert","insert",$str);
$str = str_replace("'","'",$str);
$str = str_replace(""",""",$str);
?>
str_replace只替换一次代码
$str ="中国|111cn.net|111cn.net|111cn.net|jkldajfklda李好,美女,世界中国中国中国
中国中国abc,dee";
$str1=array(
array('111cn.net','/phper.html'),
array('中国','/phper.html'),
array('李好','/phper.html'),
array('dee','/phper.html'),
array('abc','/phper.html')
);
//$temp = str_replace('111cn.net','前程似锦',$str,$a);
$count =0;
foreach($str1 as $nkeys){
if(strpos($str,$nkeys[0]) ){
if( $count <=1 ){
$str=preg_replace("/$nkeys[0]/","<a
href=http://111cn.net.com".$nkeys[1]." target=_blank >".$nkeys
[0]."</a>",$str,1); $count++;
continue ;
}
}
}
echo $count,$str;
//preg_replace(【要替换的关键字】, 【替换为的关键字】, 【原字符串】, 【替换次数
】);
//方法二:
function str_replace_once($needle, $replace, $haystack) {
$pos = strpos($haystack, $needle);
if ($pos === false) {
return $haystack;
}
return substr_replace($haystack, $replace, $pos, strlen($needle));
}
php简单数据保存程序
<form id="form1" name="form1" method="post" action="">
<label>
<input type="text" name="cname" />
</label>
<p>
<label>
<input type="text" name="caddress" />
</label>
<label>
<input type="text" name="ctel" />
</label>
<label>
<input type="text" name="cfix" />
</label>
<label>
<input type="text" name="cmail" />
</label>
</p>
</form>
<?php
include(dirname(__FILE__).'./inc/gg_function.php');
if( $_POST)
{
$_cname = Get_value('cname',1);
$_address = Get_value('caddress',1);
$_tel = Get_value('ctel',1);
$_fix = Get_value('cfix',1);
$_mail = Get_value('cmail',1);
if( empty($_cname) || strlen( $_cname )>200 )
{
ShowMsg('请输入公司名称!');
}
elseif( empty( $_address ) || strlen( $_address )>200 )
{
ShowMsg('请输入公司地址!');
}
elseif( empty( $_tel ) || strlen($_tel)>12 )
{
ShowMsg('请输入正确的电话号码');
}
elseif( empty($_fix) || strlen( $_fix )>20 )
{
ShowMsg('输入传真号');
}
elseif( empty( $_mail ) || strlen( $_mail )>254 )
{
ShowMsg('输入正确的邮件地址');
}
else{
$_sql = "Insert into gx_coo(c_name,c_address,c_tel,c_fix,c_maile)value('$_cname','$_address','$_tel','$_fix','$_mail')";
if( mysql_query( $_sql ) )
{
ShowMsg('信息保存成功!');
}
else
{
ShowMsg('操作失败请重试一次!');
}
}
}
?>
<%
squery=lcase(Request.ServerVariables("QUERY_STRING"))
sURL=lcase(Request.ServerVariables("HTTP_HOST"))
SQL_injdata =":|;|>|<|--|sp_|xp_||dir|cmd|^|(|)|+|$|'|copy|format|and|exec|insert|select|delete|update|count|*|chr|mid|master|truncate|char|declare"
SQL_inj = split(SQL_Injdata,"|")
For SQL_Data=0 To Ubound(SQL_inj)
if instr(squery&sURL,Sql_Inj(Sql_DATA))>0 Then
Response.Write "您的操作可能是SQL注入行为。"
Response.end
end if
next
%>
我自己觉得还有防sql注入的方法,那就是用trim()函数,去除所有querystring过来的值的空格,因为sql执行必须带有空格哦,还有如果是id类型的判断是否为数字就OK了。
好了为php开发者提供了一款php sql 防注入与字符过滤以及各种过滤代码哦。//==防注入自动过滤[启用后程序效率低]==========================================================================================
/*
function inject_checks($sql_str){return eregi('select|insert|update|delete|'|/*|*|../|./|union|into|load_file|outfile', $sql_str);}
foreach ($_REQUEST as $value){if (inject_checks($value)){echo "<script language=javascript>alert('你提交的数据非法,请检查后重新提交!');</script>";exit;}}
*/
//==防注[inject_check($sql_str)]==========================================================================================
function inject_check($sql_str){
if (eregi('select|insert|update|delete|union|into|load_file|outfile', $sql_str)){echo "<script language=javascript>alert('你提交的数据非法,请检查后重新提交!');</script>";exit;}
return $sql_str;
}
//==字符过滤[safe_convert($string)]==============================================================================
function safe_convert($string){ //Words Filter
if(get_magic_quotes_gpc()){ //转义字符 加上反斜线
$string=htmlspecialchars($string, ENT_QUOTES); //将特殊字元转成HTML字串格式如 "&"转成"&"
$string=str_replace("<","<",$string); //替换
$string=str_replace(">",">",$string); //替换
$string=str_replace("\", '\', $string); //替换
} else {
$string=addslashes($string); //转义字符 加上反斜线 //$string=stripslashes($string); //去掉反斜线
$string=str_replace("\\", '\', $string);
}
//$string=str_replace("r","<br/>",$string); //换行
//$string=str_replace("n","",$string); //空格
$string=str_replace("t"," ",$string); //空格
$string=str_replace(" "," ",$string); //空格
//$string=str_replace('|', '|', $string); //替换 同分类系统有冲突
$string=str_replace("&#96;","`",$string); //替换
$string=str_replace("&#92;","\",$string); //替换
return $string;
}
//==字符反过滤[unsafe_convert($string)]==============================================================================
function unsafe_convert($string){ //Words Filter
$string=str_replace("\"",""",$string); //替换
return $string;
}
//==字符过滤[filter($string)]============================================================================================
function filter($string){ //Words Filter
include("Filter.php");//词汇过滤列表
foreach($badwords as $badword){
if(stristr($string,$badword)==true){echo "<script language=javascript>alert('警告:你提交的内容含有敏感字眼,请更换内容。');</script>";exit;}
}
return $string;
}