Home  >  Article  >  Backend Development  >  PHP uses str_replace() function to prevent injection_PHP tutorial

PHP uses str_replace() function to prevent injection_PHP tutorial

WBOY
WBOYOriginal
2016-07-13 10:47:511086browse

str_replace()函数的使用就是用来替换指定字符了,那么我们正好可以利用它这一点来过滤敏感字符以太到防注入的效果,下面我来给大家总结了一些方法,给大家分享一下。


PHP各种过滤字符函数

 

 代码如下 复制代码

   /**
* 安全过滤函数
*
* @param $string
* @return string
*/
function safe_replace($string) {
$string = str_replace('%20','',$string);
$string = str_replace('%27','',$string);
$string = str_replace('%2527','',$string);
$string = str_replace('*','',$string);
$string = str_replace('"','"',$string);
$string = str_replace("'",'',$string);
$string = str_replace('"','',$string);
$string = str_replace(';','',$string);
$string = str_replace('<','<',$string);
$string = str_replace('>','>',$string);
    $string = str_replace("{",'',$string);
    $string = str_replace('}','',$string);
    $string = str_replace('','',$string);
    return $string;
    }
    ?>


    /**
* 返回经addslashes处理过的字符串或数组
* @param $string 需要处理的字符串或数组
* @return mixed
*/
function new_addslashes($string) {
if(!is_array($string)) return addslashes($string);
foreach($string as $key => $val) $string[$key] = new_addslashes($val);
    return $string;
    }
    ?>


    //对请求的字符串进行安全处理
/*
$safestep
0 为不处理,
1 为禁止不安全HTML内容(javascript等),
2 完全禁止HTML内容,并替换部份不安全字符串(如:eval(、union、CONCAT(、--、等)
*/
function StringSafe($str, $safestep=-1){
$safestep = ($safestep > -1) ? $safestep : 1;
    if($safestep == 1){
    $str = preg_replace("#script:#i", "script:", $str);
    $str = preg_replace("#<[/]{0,1}(link|meta|ifr|fra|scr)[^>]*>#isU", '', $str);
    $str = preg_replace("#[ ]{1,}#", ' ', $str);
    return $str;
    }else if($safestep == 2){
    $str = addslashes(htmlspecialchars(stripslashes($str)));
    $str = preg_replace("#eval#i", 'eval', $str);
    $str = preg_replace("#union#i", 'union', $str);
    $str = preg_replace("#concat#i", 'concat', $str);
    $str = preg_replace("#--#", '--', $str);
    $str = preg_replace("#[ ]{1,}#", ' ', $str);
    return $str;
    }else{
    return $str;
    }
    }
    ?>


/**
+------------------------------------------------- ----------
* Output safe html, used to filter dangerous codes
+------------------------------------------------- ----------
* @access public
+------------------------------------------------- ----------
* @param string $text The string to be processed
* @param mixed $tags list of allowed tags, such as table|td|th|td
+------------------------------------------------- ----------
* @return string
+------------------------------------------------- ----------
​​​​*/
        static public function safeHtml($text, $tags = null)
          {
            $text = trim($text);
//Completely filter comments
                $text = preg_replace('//','',$text);
//Completely filter dynamic code
$ Text = Preg_replace ('/& LT;? |?'. '& GT;/', '', $ Text);
//Completely filter js
                $text = preg_replace('//','',$text);
              $text = str_replace('[','[',$text);
               $text = str_replace(']',']',$text);
             $text = str_replace('|','|',$text);
//Filter newlines
               $text = preg_replace('/ ? /','',$text);
                  //br
                $text = preg_replace('//i','[br]',$text);
               $text = preg_replace('/([br]s*){10,}/i','[br]',$text);
//Filter dangerous attributes, such as: filter on event lang js
while(preg_match('/(<[^><]+)(lang|on|action|background|codebase|dynsrc|lowsrc)[^><]+/i',$text,$mat )){
                   $text=str_replace($mat[0],$mat[1],$text);
           }
while(preg_match('/(<[^><]+)(window.|javascript:|js:|about:|file:|document.|vbs:|cookie)([^><] *)/i',$text,$mat)){
$text=str_replace($mat[0],$mat[1].$mat[3],$text);
           }
                  if( empty($allowTags) ) { $allowTags = self::$htmlTags['allow']; }
//Allowed HTML tags
                 $text = preg_replace('/<('.$allowTags.')( [^><[]]*)>/i','[12]',$text);
//Filter excess html
If ( empty($banTag) ) { $banTag = self::$htmlTags['ban']; }
                 $text = preg_replace('/<]*>/i','',$text);
//Filter legal html tags
while(preg_match('/<([a-z]+)[^><[]]*>[^><]*/i',$text,$mat)) {
               $text=str_replace($mat[0],str_replace('>',']',str_replace('<','[',$mat[0])),$text);
}
//转换引号
while(preg_match('/([[^[]]*=s*)("|')([^2=[]]+)2([^[]]*])/i',$text,$mat)){
$text=str_replace($mat[0],$mat[1].'|'.$mat[3].'|'.$mat[4],$text);
}
//空属性转换
$text = str_replace('''','||',$text);
$text = str_replace('""','||',$text);
//过滤错误的单个引号
while(preg_match('/[[^[]]*("|')[^[]]*]/i',$text,$mat)){
$text=str_replace($mat[0],str_replace($mat[1],'',$mat[0]),$text);
}
//转换其它所有不合法的 < >
           $text =  str_replace('<','<',$text);
$text = str_replace('>','>',$text);
           $text = str_replace('"','"',$text);
           //反转换
           $text =  str_replace('[','<',$text);
$text = str_replace(']','>',$text);
           $text =  str_replace('|','"',$text);
           //过滤多余空格
           $text =  str_replace('  ',' ',$text);
           return $text;
       }
    ?>


        function RemoveXSS($val) {
       // remove all non-printable characters. CR(0a) and LF(0b) and TAB(9) are allowed
       // this prevents some character re-spacing such as
       // note that you have to handle splits with , , and later since they *are* allowed in some          // inputs
       $val = preg_replace('/([x00-x08,x0b-x0c,x0e-x19])/', '', $val);
       // straight replacements, the user should never need these since they're normal characters
       // this prevents like
       $search = 'abcdefghijklmnopqrstuvwxyz';
       $search .= 'ABCDEFGHIJKLMNOPQRSTUVWXYZ';
       $search .= '1234567890!@#$%^&*()';
       $search .= '~`";:?+/={}[]-_|'';
       for ($i = 0; $i < strlen($search); $i++) {
           // ;? matches the ;, which is optional
           // 0{0,7} matches any padded zeros, which are optional and go up to 8 chars
           // @ @ search for the hex values
           $val = preg_replace('/(&#[xX]0{0,8}'.dechex(ord($search[$i])).';?)/i', $search[$i], $val);//with a ;
           // @ @ 0{0,7} matches '0' zero to seven times
           $val = preg_replace('/(�{0,8}'.ord($search[$i]).';?)/', $search[$i], $val); // with a ;
       }
       // now the only remaining whitespace attacks are , , and 
       $ra1 = Array('javascript', 'vbscript', 'expression', 'applet', 'meta', 'xml', 'blink', 'link', 'style', 'script', 'embed', 'object', 'iframe', 'frame', 'frameset', 'ilayer', 'layer', 'bgsound', 'title', 'base');
       $ra2 = Array('onabort', 'onactivate', 'onafterprint', 'onafterupdate', 'onbeforeactivate', 'onbeforecopy', 'onbeforecut', 'onbeforedeactivate', 'onbeforeeditfocus', 'onbeforepaste', 'onbeforeprint', 'onbeforeunload', 'onbeforeupdate', 'onblur', 'onbounce', 'oncellchange', 'onchange', 'onclick', 'oncontextmenu', 'oncontrolselect', 'oncopy', 'oncut', 'ondataavailable', 'ondatasetchanged', 'ondatasetcomplete', 'ondblclick', 'ondeactivate', 'ondrag', 'ondragend', 'ondragenter', 'ondragleave', 'ondragover', 'ondragstart', 'ondrop', 'onerror', 'onerrorupdate', 'onfilterchange', 'onfinish', 'onfocus', 'onfocusin', 'onfocusout', 'onhelp', 'onkeydown', 'onkeypress', 'onkeyup', 'onlayoutcomplete', 'onload', 'onlosecapture', 'onmousedown', 'onmouseenter', 'onmouseleave', 'onmousemove', 'onmouseout', 'onmouseover', 'onmouseup', 'onmousewheel', 'onmove', 'onmoveend', 'onmovestart', 'onpaste', 'onpropertychange', 'onreadystatechange', 'onreset', 'onresize', 'onresizeend', 'onresizestart', 'onrowenter', 'onrowexit', 'onrowsdelete', 'onrowsinserted', 'onscroll', 'onselect', 'onselectionchange', 'onselectstart', 'onstart', 'onstop', 'onsubmit', 'onunload');
       $ra = array_merge($ra1, $ra2);
       $found = true; // keep replacing as long as the previous round replaced something
       while ($found == true) {
           $val_before = $val;
           for ($i = 0; $i < sizeof($ra); $i++) {
               $pattern = '/';
               for ($j = 0; $j < strlen($ra[$i]); $j++) {
                   if ($j > 0) {
                       $pattern .= '(';
                       $pattern .= '([xX]0{0,8}([9ab]);)';
                       $pattern .= '|';
                       $pattern .= '|({0,8}([9|10|13]);)';
                       $pattern .= ')*';
                   }
                   $pattern .= $ra[$i][$j];
               }
               $pattern .= '/i';
               $replacement = substr($ra[$i], 0, 2).''.substr($ra[$i], 2); // add in <> to nerf the tag
               $val = preg_replace($pattern, $replacement, $val); // filter out the hex tags
               if ($val_before == $val) {
                   // no replacements were made, so exit the loop
                   $found = false;
               }
           }
       }
       return $val;
    }
    ?>

www.bkjia.comtruehttp://www.bkjia.com/PHPjc/632835.htmlTechArticlestr_replace()函数的使用就是用来替换指定字符了,那么我们正好可以利用它这一点来过滤敏感字符以太到防注入的效果,下面我来给大家总结...
Statement:
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn