PHP data filtering function and method examples, PHP filtering function examples_PHP tutorial

Examples of php data filtering functions and methods, examples of php filtering functions

1. Basic principles of php submitted data filtering

　1) When submitting variables into the database, we must use addslashes() performs filtering. For example, our injection problem can be solved with just addslashes(). In fact, when it comes to variable values, the intval() function is also a good choice for filtering strings.

2) Enable magic_quotes_gpc and magic_quotes_runtime in php.ini. magic_quotes_gpc can change the quotation marks in get, post, and cookie into slashes. magic_quotes_runtime can play a formatting role in data entering and exiting the database. In fact, this parameter was very popular back in the old days when injection was crazy.

3) When using system functions, you must use escapeshellarg() and escapeshellcmd() parameters to filter, so that you can use system functions with confidence.

4) For cross-site, the two parameters of strip_tags() and htmlspecialchars() are both good. All tags with html and php submitted by users will be converted. For example, angle brackets "
The code is as follows Copy the code

$new = htmlspecialchars("Test", ENT_QUOTES);

strip_tags($text,);

5) For Filtering of related functions, just like the previous include(), unlink, fopen(), etc., as long as you specify the variables you want to perform the operation or filter the related characters strictly, I think this will be impeccable.

2. PHP simple data filtering

1) Inbound: trim($str), addslashes($str)

2) Outbound: stripslashes($str )

　3) Display: htmlspecialchars(nl2br($str))

Look at the example below for further discussion of dispatch.php script:

The code is as follows Copy the code

　　/* 全局安全处理 */

　　switch ($_GET['task'])

　　{

　　case 'print_form':

　　include '/inc/presentation/form.inc';

　　break;

　　case 'process_form':

　　$form_valid = false;

　　include '/inc/logic/process.inc';

　　if ($form_valid)

　　{

　　include '/inc/presentation/end.inc';

　　}

　　else

　　{

　　include '/inc/presentation/form.inc';

　　}

　　break;

　　default:

　　include '/inc/presentation/index.inc';

　　break;

　　}

　　?>

　

If this is the only publicly accessible PHP script, you can be sure that the program is designed to ensure that the initial global security handling cannot be bypassed. It also makes it easy for developers to see the control flow of specific tasks. For example, it is easy to know without browsing the entire code: when $form_valid is true, end.inc is the only one displayed to the user; since it is before process.inc is included and has just been initialized to false, it can be determined that The internal logic of process.inc will set it to true; otherwise the form will be displayed again (possibly with an associated error message).

Note

If you use a directory directive file such as index.php (instead of dispatch.php), you can use the URL address like this: http://example.org/?task= print_form.

You can also use ApacheForceType redirection or mod_rewrite to adjust the URL address: http://example.org/app/print-form.

Containing methods

Another way is to use a single module, which is responsible for all security processing. This module is included at the front (or very front) of all public PHP scripts. Refer to the following script security.inc

The code is as follows Copy the code

switch ($_POST['form'])

　　{

　　case 'login':

　　$allowed = array();

　　$allowed[] = 'form';

　　$allowed[] = 'username';

　　$allowed[] = 'password';

　　$sent = array_keys($_POST);

　　if ($allowed == $sent)

　　{

　　include '/inc/logic/process.inc';

　　}

　　break;

　　}

　　?>

　

In this example, each submitted form is considered to contain the unique verification value form, and security.inc independently processes the data in the form that needs to be filtered. The HTML form that implements this requirement is as follows:

Copy the code as follows

Username:

Password:

An array called $allowed is used for verification Which form variables are allowed? This list should be consistent before the form is processed. Process control decides what to execute, and process.inc is where the actual filtered data arrives.

NOTE

A better way to ensure that security.inc is always included at the beginning of every script is to use the auto_prepend_file setting.

Example of filtering

Creating a whitelist is very important for data filtering. Since it's impossible to give examples for every type of form data you may encounter, some examples can help you get a general understanding.

The following code verifies the email address:

The code is as follows Copy the code

$clean = array();

　　$email_pattern = '/^[^@s<&>]+@([-a-z0-9]+.)+[a-z]{2,}$/i';

　　if (preg_match($email_pattern, $_POST['email'])) {

　　$clean['email'] = $_POST['email'];

　　}

　　?>

　

The following code ensures that the content of $_POST['color'] is red, green, or blue:

The code is as follows Copy the code

　$clean = array();

　　switch ($_POST['color']) {

　　case 'red':

　　case 'green':

　　case 'blue':

　　$clean['color'] = $_POST['color'];

　　break;

　　}

　　?>

　

The following code ensures that $_POST['num'] is an integer:

The code is as follows Copy the code

     
    $clean = array();

　　if ($_POST['num'] == strval(intval($_POST['num']))) {

　　$clean['num'] = $_POST['num'];

　　}

　

The following code ensures that $_POST['num'] is a floating point number (float):

The code is as follows Copy the code

$clean = array();

　　if ($_POST['num'] == strval(floatval($_POST['num'])))

　　{

　　$clean['num'] = $_POST['num'];

　　}

　

　　?>

　　名字转换

　　之前每个例子都使用了数组$clean。对于开发人员判断数据是否有潜在的威胁这是一个很好的习惯。 永远不要在对数据验证后还将其保存在$_POST或者$_GET中，作为开发人员对超级全局数组中保存的数据总是应当保持充分的怀疑。

　　需要补充的是，使用$clean可以帮助思考还有什么没有被过滤，这更类似一个白名单的作用。可以提升安全的等级。

　　如果仅仅将验证过的数据保存在$clean，在数据验证上仅存的风险是你所引用的数组元素不存在，而不是未过滤的危险数据。

　　时机

　　一旦 PHP 脚本开始执行，则意味着 HTTP 请求已经全部结束。此时，用户便没有机会向脚本发送数据。因此，没有数据可以被输入到脚本中(甚至register_globals被开启的情况下)。这就是为什么初始化变量是非常好的习惯。

　　防注入

　　

代码如下 复制代码

　　//PHP整站防注入程序，需要在公共文件中require_once本文件

　　//判断magic_quotes_gpc状态

　　if (@get_magic_quotes_gpc ()) {

　　$_GET = sec ( $_GET );

　　$_POST = sec ( $_POST );

　　$_COOKIE = sec ( $_COOKIE );

　　$_FILES = sec ( $_FILES );

　　}

　　$_SERVER = sec ( $_SERVER );

　　function sec(&$array) {

　　//如果是数组，遍历数组，递归调用

　　if (is_array ( $array )) {

　　foreach ( $array as $k => $v ) {

　　$array [$k] = sec ( $v );

　　}

　　} else if (is_string ( $array )) {

　　//使用addslashes函数来处理

　　$array = addslashes ( $array );

　　} else if (is_numeric ( $array )) {

　　$array = intval ( $array );

　　}

　　return $array;

　　}

　　//整型过滤函数

　　function num_check($id) {

　　if (! $id) {

　　die ( '参数不能为空!' );

　　} //是否为空的判断

　　else if (inject_check ( $id )) {

　　die ( '非法参数' );

　　} //注入判断

　　else if (! is_numetic ( $id )) {

　　die ( '非法参数' );

　　}

　　//数字判断

　　$id = intval ( $id );

　　//整型化

　　return $id;

　　}

　　//字符过滤函数

　　function str_check($str) {

　　if (inject_check ( $str )) {

　　die ( '非法参数' );

　　}

　　//注入判断

　　$str = htmlspecialchars ( $str );

　　//转换html

　　return $str;

　　}

　　function search_check($str) {

　　$str = str_replace ( "_", "_", $str );

　　//把"_"过滤掉

　　$str = str_replace ( "%", "%", $str );

　　//把"%"过滤掉

　　$str = htmlspecialchars ( $str );

　　//转换html

　　return $str;

　　}

　　//表单过滤函数

　　function post_check($str, $min, $max) {

　　if (isset ( $min ) && strlen ( $str ) < $min) {

　　die ( '最少$min字节' );

　　} else if (isset ( $max ) && strlen ( $str ) > $max) {

　　die ( '最多$max字节' );

　　}

　　return stripslashes_array ( $str );

　　}

　　//防注入函数

　　function inject_check($sql_str) {

　　return eregi ( 'select|inert|update|delete|'|/*|*|../|./|UNION|into|load_file|outfile', $sql_str );

　　//进行过滤，防注入

　　}

　　function stripslashes_array(&$array) {

　　if (is_array ( $array )) {

　　foreach ( $array as $k => $v ) {

　　$array [$k] = stripslashes_array ( $v );

　　}

　　} else if (is_string ( $array )) {

　　$array = stripslashes ( $array );

　　}

　　return $array;

　　}

　　?>

　　

 

php表单获取用户输入数据后过滤的流程

addslashes
htmlspecialchars

mysql_real_escape_string
数字的可以用intval()，最好在之前就循环$_POST，挨个的addslashes或者其他函数。
上面都可以，根据需要来。
 

php过滤数据问题

假定你的数据在数据$demo中，我们来写段代码进行过滤。
$count = 0;
foreach($demo as $ditem){
if(($ditem['a']==0)||($ditem['b']==0)||($ditem['c']==0)||($ditem['c']==0)) continue;
echo $ditem['id'].' '.$ditem['a'].' '.$ditem['b'].' '.$ditem['c'].' '.$ditem['d'].' '.$ditem['e']."
";
$count++;

}
echo '总行数:'.$count;
 

http://www.bkjia.com/PHPjc/908127.htmlwww.bkjia.comtruehttp://www.bkjia.com/PHPjc/908127.htmlTechArticlephp数据过滤函数与方法示例，php过滤函数示例 1、php提交数据过滤的基本原则 1)提交变量进数据库时，我们必须使用addslashes()进行过滤，像...