php防止xss攻击以及sql注入
1、核心函数
/**
防止sql注入已经xxs攻击
*/
function SafeFilter (&$arr)
{
$ra=array(\’/([\\x00-\\x08,\\x0b-\\x0c,\\x0e-\\x19])/\’,\’/select/\’,\’/from/\’,\’/update/\’,\’/delete/\’,\’/drop/\’,\’/alter/\’,\’/script/\’,\’/javascript/\’,\’/vbscript/\’,\’/expression/\’,\’/applet/\’,\’/meta/\’,\’/xml/\’,\’/blink/\’,\’/link/\’,\’/style/\’,\’/embed/\’,\’/object/\’,\’/frame/\’,\’/layer/\’,\’/title/\’,\’/bgsound/\’
,\’/base/\’,\’/onload/\’,\’/onunload/\’,\’/onchange/\’,\’/onsubmit/\’,\’/onreset/\’,\’/onselect/\’,\’/onblur/\’,\’/onfocus/\’,
\’/onabort/\’,\’/onkeydown/\’,\’/onkeypress/\’,\’/onkeyup/\’,\’/onclick/\’,\’/ondblclick/\’,\’/onmousedown/\’,\’/onmousemove/\’
,\’/onmouseout/\’,\’/onmouseover/\’,\’/onmouseup/\’,\’/onunload/\’);
if (is_array($arr))
{
foreach ($arr as $key => $value)
{
if (!is_array($value))
{
if (!get_magic_quotes_gpc()) //不对magic_quotes_gpc转义过的字符使用addslashes(),避免双重转义。
{
$value = addslashes($value); //给单引号(\’)、双引号(\”)、反斜线(\\)与 NUL(NULL 字符)
}
$value = preg_replace($ra,\’\’,$value); //删除非打印字符,粗暴式过滤xss可疑字符串
$arr[$key] = htmlentities(strip_tags($value)); //去除 HTML 和 PHP 标记并转换为 HTML 实体
}else{
SafeFilter($arr[$key]);
}
}
}else{
if(!get_magic_quotes_gpc()) //不对magic_quotes_gpc转义过的字符使用addslashes(),避免双重转义。
{
$arr = addslashes($arr); //给单引号(\’)、双引号(\”)、反斜线(\\)与 NUL(NULL 字符)
//加上反斜线转义
}
$arr = preg_replace($ra,\’\’,$arr); //删除非打印字符,粗暴式过滤xss可疑字符串
$arr = htmlentities(strip_tags($arr)); //去除 HTML 和 PHP 标记并转换为 HTML 实体
}
}
2、将这部分引入公共文件
//进行sql注入或者xxs攻击防护
if($_POST)
{
SafeFilter($_POST);
}
if($_GET)
{
SafeFilter($_GET);
}
if($_COOKIE)
{
SafeFilter($_COOKIE);
}