How to do php form security filtering?

There are many methods on the Internet, and I don’t know what to use.
What specifically needs to be filtered to ensure security? What function to use?
What function or method is most suitable to filter discordant words?

It is best to give a complete set of code. I've seen too many clips and it's already messed up. . .

Reply content:

There are many methods on the Internet, and I don’t know what to use.
What specifically needs to be filtered to ensure security? What function to use?
What function or method is most suitable to filter discordant words?

It is best to give a complete set of code. I've seen too many clips and it's already messed up. . .

• Form level validation. Anything entered on the page can be verified with js. js also has many functions to verify different characters, depending on the situation

• Program level verification. The main consideration is in SQL. Of course, there are many functions for character processing in PHP. You can use different functions according to your own needs

Provide a small method to prevent SQL injection

<code>    /**
     * description 过滤转义POST|GET
     */
    final public static function isEscape($val, $isboor = false) {
        if (! get_magic_quotes_gpc ()) {
            $val = addslashes ( $val );
        }
        if ($isboor) {
            $val = strtr ( $val, array (
                    "%" => "\%",
                    "_" => "\_" 
            ) );
        }
        return $val;
    }</code>

Of course, if you use PDO, PDO preprocessing can effectively prevent SQL injection

<code>1.防止表单重复提交，1.用表单令牌可以解决,2.点击提交按钮后，立即禁用button按钮
2.防止表单提交多余的数据, PHP 接收POST的时候，需要过滤，哪些是表单的，哪些的用户构造的
3.防止SQL注入，进行类型强制转换和采用PDO绑定参数方式操作数据库(参见thinkphp数据库类)
4.防止XSS攻击，需要过滤掉 <script> <iframe>等危险的HTML代码(参见thinkphp的 I 函数)
5.防止csrf攻击，每次进行增删查改之前，验证一个token 即可(参见Yii2的写法)</code>

If you want to ask about the code, never ask for the code directly when asking questions. You can only post your code and let us help you troubleshoot. If you refuse to reach out to others, there will definitely be no problem. This is all based on the combination of various excellent It may take a long time to write the
code accumulated and summarized by frameworks and open source projects

First of all, it is an effective method to pass preliminary data through JS on the client side, but please note that all verifications performed on the client side are not safe and can be bypassed

Then perform data filtering at the code level. For example, some functions in PHP can be used to perform some simple filtering operations:
strip_tags can remove all html tags in the text content
htmlspecialchars can filter the html in the text content Escape tags
addslashes can escape special symbols in content

These functions can be used for preliminary filtering, and then you need to write corresponding rules for specific content. For example, to remove js code or other sensitive words, you need to write corresponding regular rules to replace them

Finally, some safety operations are performed when executing sql, such as preprocessing of pdo, etc.