/* 全局安全处理 */ switch ($_GET['task']) { case 'print_form': include '/inc/presentation/form.inc'; break; case 'process_form': $form_valid = false; include '/inc/logic/process.inc'; if ($form_valid) { include '/inc/presentation/end.inc'; } else { include '/inc/presentation/form.inc'; } break; default: include '/inc/presentation/index.inc'; break; } ?>
switch ($_POST['form']) { case 'login': $allowed = array(); $allowed[] = 'form'; $allowed[] = 'username'; $allowed[] = 'password'; $sent = array_keys($_POST); if ($allowed == $sent) { include '/inc/logic/process.inc'; } break; } ?>
$clean = array(); $email_pattern = '/^[^@s<&>]+@([-a-z0-9]+.)+[a-z]{2,}$/i'; if (preg_match($email_pattern, $_POST['email'])) { $clean['email'] = $_POST['email']; } ?>
$clean = array(); switch ($_POST['color']) { case 'red': case 'green': case 'blue': $clean['color'] = $_POST['color']; break; } ?>
$clean = array(); if ($_POST['num'] == strval(intval($_POST['num']))) { $clean['num'] = $_POST['num']; }
$clean = array(); if ($_POST['num'] == strval(floatval($_POST['num']))) { $clean['num'] = $_POST['num']; }
代码如下 复制代码 //PHP整站防注入程序,需要在公共文件中require_once本文件 //判断magic_quotes_gpc状态 if (@get_magic_quotes_gpc ()) { $_GET = sec ( $_GET ); $_POST = sec ( $_POST ); $_COOKIE = sec ( $_COOKIE ); $_FILES = sec ( $_FILES ); } $_SERVER = sec ( $_SERVER ); function sec(&$array) { //如果是数组,遍历数组,递归调用 if (is_array ( $array )) { foreach ( $array as $k => $v ) { $array [$k] = sec ( $v ); } } else if (is_string ( $array )) { //使用addslashes函数来处理 $array = addslashes ( $array ); } else if (is_numeric ( $array )) { $array = intval ( $array ); } return $array; } //整型过滤函数 function num_check($id) { if (! $id) { die ( '参数不能为空!' ); } //是否为空的判断 else if (inject_check ( $id )) { die ( '非法参数' ); } //注入判断 else if (! is_numetic ( $id )) { die ( '非法参数' ); } //数字判断 $id = intval ( $id ); //整型化 return $id; } //字符过滤函数 function str_check($str) { if (inject_check ( $str )) { die ( '非法参数' ); } //注入判断 $str = htmlspecialchars ( $str ); //转换html return $str; } function search_check($str) { $str = str_replace ( "_", "_", $str ); //把"_"过滤掉 $str = str_replace ( "%", "%", $str ); //把"%"过滤掉 $str = htmlspecialchars ( $str ); //转换html return $str; } //表单过滤函数 function post_check($str, $min, $max) { if (isset ( $min ) && strlen ( $str ) < $min) { die ( '最少$min字节' ); } else if (isset ( $max ) && strlen ( $str ) > $max) { die ( '最多$max字节' ); } return stripslashes_array ( $str ); } //防注入函数 function inject_check($sql_str) { return eregi ( 'select|inert|update|delete|'|/*|*|../|./|UNION|into|load_file|outfile', $sql_str ); //进行过滤,防注入 } function stripslashes_array(&$array) { if (is_array ( $array )) { foreach ( $array as $k => $v ) { $array [$k] = stripslashes_array ( $v ); } } else if (is_string ( $array )) { $array = stripslashes ( $array ); } return $array; } ?>
addslashes
htmlspecialchars
mysql_real_escape_string
数字的可以用intval(),最好在之前就循环$_POST,挨个的addslashes或者其他函数。
上面都可以,根据需要来。
假定你的数据在数据$demo中,我们来写段代码进行过滤。
$count = 0;
foreach($demo as $ditem){
if(($ditem['a']==0)||($ditem['b']==0)||($ditem['c']==0)||($ditem['c']==0)) continue;
echo $ditem['id'].' '.$ditem['a'].' '.$ditem['b'].' '.$ditem['c'].' '.$ditem['d'].' '.$ditem['e']."
";
$count++;
}
echo '总行数:'.$count;