Home > Article > Backend Development > Illegal character filtering_PHP tutorial
Illegal character filtering_PHP tutorial
- WBOYOriginal
- 2016-07-13 17:09:221101browse
Illegal character filteringThis article mainly talks about php filtering illegal charactersIt does not talk about the function of asp filtering illegal characters, but the idea is the same.
) Filter characters that affect the normal operation of MySQL.
When you need to substitute the content entered by the user (which may include single quotes, double quotes, backslashes, and the null character NUL) into the mysql statement for execution, you should set the magic_quotes_gpc item in APACHE to On.
If this item in APACHE is set to Off, the PHP function addslashes() can also be used to achieve the same purpose, but these two methods cannot be used at the same time, otherwise repeated substitutions will occur and errors will occur.
Sample:
PHP code
if (get_magic_quotes_gpc()) {
$content=$_POST["content"];
} else {
$content=addslashes($_POST["content"]);
}
?>
Of course, if the magic_quotes_gpc item in APACHE is On, but sometimes you don’t want to escape the special characters of a certain item, you can use stripslashes() to remove the
2) Filter characters that affect the normal operation of MSSQL.
When you need to substitute the content entered by the user (which may include single quotes) into the mssql statement for execution, you should set the magic_quotes_sybase item in APACHE to On. At this time, the magic_quotes_gpc item will no longer take effect.
If this item in APACHE is set to Off, there is no suitable function in PHP to achieve the same purpose. You can only use the string replacement function to achieve this purpose.
Sample:
PHP code
$content=str_replace("'","''"$_POST["content"]);
?>
Now PHP on 10.218.17.53 needs to access both mysql and mssql. The settings in APACHE cannot take into account both databases, so only mysql has been set accordingly.
2. A measure to deal with user input containing SQL statements.
The following two SQL writing methods are relatively common, but the security level is different. When the user submits $id='1 and 1=2 union select...', the first one will display something that should not be displayed. data, while the second type is relatively safer.
SQL code
Select * FROM article Where articleid=$id
Select * FROM article Where articleid='$id'
3. Prevent the content entered by the user from affecting the normal display of the page due to the inclusion of html tags or javascript.
You can use htmlspecialchars() to filter the & " < >
PHP code
$content = htmlspecialchars($content);
4. When the content to be displayed on the page contains carriage returns and line breaks, you can use nl2br() to achieve the effect of line breaks on the page.
Method 1.
function chkstr($paravalue,$paratype) //Filter illegal characters
{
if($paratype==1)
{
$inputstr=str_replace("'","''",$paravalue);
}
elseif($paratype==2)
{
$inputstr=str_replace("'","",$paravalue);
}
return $inputstr;
}
$user1=chkstr($_GET["user"],1);
$user2=chkstr($_GET["user"],2);
//$user=$_GET["user"];
print "Method 1----------------
";
print "$user1
";
print "Method 2-----------------
";
print "$user2
";
?>
Method 2.
//Usage: qstr($str, get_magic_quotes_gpc())
function qstr($string, $magic_quotes=false, $tag=false)
{
$tag_str = '';
if ($tag) $tag_str = "'";
if (!$magic_quotes) {
If (strnatcmp(PHP_VERSION, '4.3.0') >= 0) {
Return $tag_str.mysql_real_escape_string($string).$tag_str;
}
$string = str_replace("'", "[url=file://\]\'[/url]" , str_replace('\', '\\', str_replace("
Return $tag_str.$string.$tag_str;
}
Return $tag_str.str_replace('\"', '"', $string).$tag_str;
}
?>