php security filtering
/*ansic code-Url code table: http://www.w3school.com.cn/tags/html_ref_urlencode.html
-------------------------------------------------- -------------------------------------------------- -------------
1. Validate and filter user input
Even the most common alphanumeric input may be dangerous. It is easy to list a few Characters that cause security issues:
!$ ^ & * ( ) ~ [ ] | { } ' " ; ? - `
Characters that may have special meaning in the database :
'" ;
There are also some non-printing characters:
character x00 or ASCII 0, NULL or FALSE
character x10 and x13, Or ASCII 10 and 13, n r
character x1a or ASCII 26, indicating the end of the file
Entering the wrong parameter type may also cause unexpected errors in the program.
Entering too many parameter values may lead to overflow and other errors.
2. Filtering of file paths and names
File names cannot contain binary data, otherwise it may cause problems.
Some systems allow Unicode multi-byte encoded file names, but this should be avoided and ASCII characters should be used instead.
Although Unix systems can use almost any symbol in the file name setting, you should try to use - and _ and avoid using other characters.
At the same time, the length of the file name needs to be limited.
3. Prevent SQL injection
Check the type of user input. When the user input is a number, you can use the following method:
Use the is_int() function (or is_integer( ) or is_long() function)
Use gettype() function
Use intval() function
Use settype() function
to check user input characters The length of the string is determined using the strlen() function.
To check whether the date or time is valid, you can use the strtotime() function
4. Prevent XSS attacks
A common method for xss attacks is to inject HTML elements to execute js Scripts, PHP has built-in some defensive functions (such as htmlentities or htmlspecialchars)
5. Filter URLs submitted by users
If the user is allowed to enter a URL to call an image or link, You need to ensure that he does not pass in non-http protocols such as javascript: or vbscript: or data:.
You can use PHP's built-in function parse_url() function to split the URL and then make a judgment.
6. Prevent remote execution--The following table lists some characters related to Shell:
Remote execution usually uses PHP code to execute such as eval() function, or calls Command execution such as exec(), passthru(), proc_open(), shell_exec(), system() or popen().
Inject PHP code: PHP provides developers with many ways to call PHP scripts. We need to pay attention to filtering user-controllable data.
7. Shell command execution
PHP provides some functions that can directly execute system commands, such as the exec() function or ` (backtick).
PHP's safe mode will provide some protection, but there are also some ways to bypass the safe mode:
1. Upload a Perl script, or Python or Ruby, etc., to the environment supported by the server. Executing scripts in other languages can bypass PHP's safe mode.
2. Use the buffer overflow vulnerability of the system to bypass the safe mode.
Some characters related to Shell:
Name Character ASCII Hexadecimal URL encoding HTML encoding
Line feed 10 x0a
Exclamation mark! 33 x21 ! !
Double quote " 34 x22 " " or "
Dollar sign $ 36 x24 $ $
Connector & 38 x26 & & or amp
Single quote ' 39 x27 ' '
Left bracket ( 40 x28 ( (
right bracket) 41 x29 ) )
asterisk * 42 x2a * *
hyphen - 45 x2d - -
Semicolon; 59 x3b ; ;
Left angle bracket
Right angle bracket > 62 x3e > >
Question mark ? 63 x3f ? ?
left square bracket [ 91 x5b [ [
backslash 92 x5c \
right square bracket] 93 x5d ] ]
caret ^ 94 x5e ^ ^
backtick ` 96 x60 ` `
left curly brace { 123 x7b { {
pipe character | 124 x7c | |
right curly brace} 125 x7d } }
tilde ~ 126 x7e ~ ~
------------------------------------------------ -------------------------------------------------- ---------------
Security filtering function code*/
/**
* Safe filtering input [jb]
*/
function check_str($string, $isurl = false)
{
$string= preg_replace('/[\x00-\x08\x0B\x0C\x0E-\x1F]/ ','',$string); //Remove control characters
$string= str_replace(array("
empty($isurl)&& $string =preg_replace("/&(?!(#[0-9] |[a-z] );)/si",'&',$string);//Inside HTML You can use xx; to encode some characters, such as (space), ? Unicode characters, etc. A(?!B) means that A is not followed by B, so the author wants to retain ? similar HTML encoding characters and remove other The problem character is
$string= str_replace(array("
$string= str_replace(array(">",'>'),'>',$string);
$string= str_replace(array('"'," '","t",' '),array('"',''','',' '),$string);
returntrim($string);
}
/**
* Security filtering class - filter javascript, css, iframes, object and other unsafe parameters with high filtering level
* @param string $value The value that needs to be filtered
* @ return string
*/
function filter_script($value) {
$value=preg_replace("/(javascript: )?on(click|load|key|mouse|error|abort|move|unload|change|dblclick|move|reset|resize|submit)/i","&111n\2",$value);
$value= preg_replace("/(.*?)/si","",$value);
$value= preg_replace("/(.*?)/si","",$value);
$value= preg_replace ("//iesU", '', $value);
return$value;
}
/**
* Security filtering class - filtering HTML tags
* @param string $value The value to be filtered
* @return string
*/
function filter_html($value) {
if(function_exists('htmlspecialchars ')) return htmlspecialchars($value);
returnstr_replace(array("&", '"', "'", ""), array("&", " "", "'",""), $value);
}
/**
* Security filtering class - underline incoming data to prevent SQL injection
* @param string $value The value to be filtered
* @return string
*/
function filter_sql($value) {
$sql= array("select", 'insert', "update", "delete","'", "/*",". ./", "./","union", "into", "load_file","outfile");
$sql_re=array("","","",""," ","","","","","","","");
returnstr_replace($sql, $sql_re, $value);
}
/**
* Security filtering class - general data filtering
* @param string $value Variables that need to be filtered
* @return string|array
*/
function filter_escape($value) {
if(is_array($value)) {
foreach($value as $k => $v) {
$value[$k]= self::fliter_str($v);
}
}else {
$value= self::fliter_str($value);
}
return$value;
}
/**
* Security filtering class - string filtering to filter special harmful characters
* @param string $value The value to be filtered
* @return string
*/
function filter_str($value) {
$badstr= array("
如何在 iPhone 和 Android 上关闭蓝色警报Feb 29, 2024 pm 10:10 PM根据美国司法部的解释,蓝色警报旨在提供关于可能对执法人员构成直接和紧急威胁的个人的重要信息。这种警报的目的是及时通知公众,并让他们了解与这些罪犯相关的潜在危险。通过这种主动的方式,蓝色警报有助于增强社区的安全意识,促使人们采取必要的预防措施以保护自己和周围的人。这种警报系统的建立旨在提高对潜在威胁的警觉性,并加强执法机构与公众之间的沟通,以共尽管这些紧急通知对我们社会至关重要,但有时可能会对日常生活造成干扰,尤其是在午夜或重要活动时收到通知时。为了确保安全,我们建议您保持这些通知功能开启,但如果
在Android中实现轮询的方法是什么?Sep 21, 2023 pm 08:33 PMAndroid中的轮询是一项关键技术,它允许应用程序定期从服务器或数据源检索和更新信息。通过实施轮询,开发人员可以确保实时数据同步并向用户提供最新的内容。它涉及定期向服务器或数据源发送请求并获取最新信息。Android提供了定时器、线程、后台服务等多种机制来高效地完成轮询。这使开发人员能够设计与远程数据源保持同步的响应式动态应用程序。本文探讨了如何在Android中实现轮询。它涵盖了实现此功能所涉及的关键注意事项和步骤。轮询定期检查更新并从服务器或源检索数据的过程在Android中称为轮询。通过
如何在Android中实现按下返回键再次退出的功能?Aug 30, 2023 am 08:05 AM为了提升用户体验并防止数据或进度丢失,Android应用程序开发者必须避免意外退出。他们可以通过加入“再次按返回退出”功能来实现这一点,该功能要求用户在特定时间内连续按两次返回按钮才能退出应用程序。这种实现显著提升了用户参与度和满意度,确保他们不会意外丢失任何重要信息Thisguideexaminesthepracticalstepstoadd"PressBackAgaintoExit"capabilityinAndroid.Itpresentsasystematicguid
Android逆向中smali复杂类实例分析May 12, 2023 pm 04:22 PM1.java复杂类如果有什么地方不懂,请看:JAVA总纲或者构造方法这里贴代码,很简单没有难度。2.smali代码我们要把java代码转为smali代码,可以参考java转smali我们还是分模块来看。2.1第一个模块——信息模块这个模块就是基本信息,说明了类名等,知道就好对分析帮助不大。2.2第二个模块——构造方法我们来一句一句解析,如果有之前解析重复的地方就不再重复了。但是会提供链接。.methodpublicconstructor(Ljava/lang/String;I)V这一句话分为.m
如何在2023年将 WhatsApp 从安卓迁移到 iPhone 15?Sep 22, 2023 pm 02:37 PM如何将WhatsApp聊天从Android转移到iPhone?你已经拿到了新的iPhone15,并且你正在从Android跳跃?如果是这种情况,您可能还对将WhatsApp从Android转移到iPhone感到好奇。但是,老实说,这有点棘手,因为Android和iPhone的操作系统不兼容。但不要失去希望。这不是什么不可能完成的任务。让我们在本文中讨论几种将WhatsApp从Android转移到iPhone15的方法。因此,坚持到最后以彻底学习解决方案。如何在不删除数据的情况下将WhatsApp
同样基于linux为什么安卓效率低Mar 15, 2023 pm 07:16 PM原因:1、安卓系统上设置了一个JAVA虚拟机来支持Java应用程序的运行,而这种虚拟机对硬件的消耗是非常大的;2、手机生产厂商对安卓系统的定制与开发,增加了安卓系统的负担,拖慢其运行速度影响其流畅性;3、应用软件太臃肿,同质化严重,在一定程度上拖慢安卓手机的运行速度。
Android中动态导出dex文件的方法是什么May 30, 2023 pm 04:52 PM1.启动ida端口监听1.1启动Android_server服务1.2端口转发1.3软件进入调试模式2.ida下断2.1attach附加进程2.2断三项2.3选择进程2.4打开Modules搜索artPS:小知识Android4.4版本之前系统函数在libdvm.soAndroid5.0之后系统函数在libart.so2.5打开Openmemory()函数在libart.so中搜索Openmemory函数并且跟进去。PS:小知识一般来说,系统dex都会在这个函数中进行加载,但是会出现一个问题,后
Android APP测试流程和常见问题是什么May 13, 2023 pm 09:58 PM1.自动化测试自动化测试主要包括几个部分,UI功能的自动化测试、接口的自动化测试、其他专项的自动化测试。1.1UI功能自动化测试UI功能的自动化测试,也就是大家常说的自动化测试,主要是基于UI界面进行的自动化测试,通过脚本实现UI功能的点击,替代人工进行自动化测试。这个测试的优势在于对高度重复的界面特性功能测试的测试人力进行有效的释放,利用脚本的执行,实现功能的快速高效回归。但这种测试的不足之处也是显而易见的,主要包括维护成本高,易发生误判,兼容性不足等。因为是基于界面操作,界面的稳定程度便成了
Hot AI Tools
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Undress AI Tool
Undress images for free
Clothoff.io
AI clothes remover
AI Hentai Generator
Generate AI Hentai for free.
Hot Article
Hot Tools
SublimeText3 Chinese version
Chinese version, very easy to use
Dreamweaver Mac version
Visual web development tools
WebStorm Mac version
Useful JavaScript development tools
Notepad++7.3.1
Easy-to-use and free code editor
SecLists
SecLists is the ultimate security tester's companion. It is a collection of various types of lists that are frequently used during security assessments, all in one place. SecLists helps make security testing more efficient and productive by conveniently providing all the lists a security tester might need. List types include usernames, passwords, URLs, fuzzing payloads, sensitive data patterns, web shells, and more. The tester can simply pull this repository onto a new test machine and he will have access to every type of list he needs.
