/* 全局安全處理 */ switch ($_GET['task']) { case 'print_form': include '/inc/presentation/form.inc'; break; case 'process_form': $form_valid = false; include '/inc/logic/process.inc'; if ($form_valid) { include '/inc/presentation/end.inc'; } else { include '/inc/presentation/form.inc'; } break; default: include '/inc/presentation/index.inc'; break; } ?>
switch ($_POST['form']) { case 'login': $allowed = array(); $allowed[] = 'form'; $allowed[] = 'username'; $allowed[] = 'password'; $sent = array_keys($_POST); if ($allowed == $sent) { include '/inc/logic/process.inc'; } break; } ?>
$clean = array(); $email_pattern = '/^[^@s<&>]+@([-a-z0-9]+.)+[a-z]{2,}$/i'; if (preg_match($email_pattern, $_POST['email'])) { $clean['email'] = $_POST['email']; } ?>
$clean = array(); switch ($_POST['color']) { case 'red': case 'green': case 'blue': $clean['color'] = $_POST['color']; break; } ?>
$clean = array(); if ($_POST['num'] == strval(intval($_POST['num']))) { $clean['num'] = $_POST['num']; }
$clean = array(); if ($_POST['num'] == strval(floatval($_POST['num']))) { $clean['num'] = $_POST['num']; }
代碼如下 復制代碼 //PHP整站防注入程序,需要在公共文件中require_once本文件 //判斷magic_quotes_gpc狀態 if (@get_magic_quotes_gpc ()) { $_GET = sec ( $_GET ); $_POST = sec ( $_POST ); $_COOKIE = sec ( $_COOKIE ); $_FILES = sec ( $_FILES ); } $_SERVER = sec ( $_SERVER ); function sec(&$array) { //如果是數組,遍歷數組,遞歸調用 if (is_array ( $array )) { foreach ( $array as $k => $v ) { $array [$k] = sec ( $v ); } } else if (is_string ( $array )) { //使用addslashes函數來處理 $array = addslashes ( $array ); } else if (is_numeric ( $array )) { $array = intval ( $array ); } return $array; } //整型過濾函數 function num_check($id) { if (! $id) { die ( '參數不能為空!' ); } //是否為空的判斷 else if (inject_check ( $id )) { die ( '非法參數' ); } //注入判斷 else if (! is_numetic ( $id )) { die ( '非法參數' ); } //數字判斷 $id = intval ( $id ); //整型化 return $id; } //字符過濾函數 function str_check($str) { if (inject_check ( $str )) { die ( '非法參數' ); } //注入判斷 $str = htmlspecialchars ( $str ); //轉換html return $str; } function search_check($str) { $str = str_replace ( "_", "_", $str ); //把"_"過濾掉 $str = str_replace ( "%", "%", $str ); //把"%"過濾掉 $str = htmlspecialchars ( $str ); //轉換html return $str; } //表單過濾函數 function post_check($str, $min, $max) { if (isset ( $min ) && strlen ( $str ) < $min) { die ( '最少$min字節' ); } else if (isset ( $max ) && strlen ( $str ) > $max) { die ( '最多$max字節' ); } return stripslashes_array ( $str ); } //防注入函數 function inject_check($sql_str) { return eregi ( 'select|inert|update|delete|'|/*|*|../|./|UNION|into|load_file|outfile', $sql_str ); //進行過濾,防注入 } function stripslashes_array(&$array) { if (is_array ( $array )) { foreach ( $array as $k => $v ) { $array [$k] = stripslashes_array ( $v ); } } else if (is_string ( $array )) { $array = stripslashes ( $array ); } return $array; } ?>
addslashes
htmlspecialchars
mysql_real_escape_string
數字的可以用intval(),最好在之前就循環$_POST,挨個的addslashes或者其他函數。
上面都可以,根據需要來。
假定你的數據在數據$demo中,我們來寫段代碼進行過濾。
$count = 0;
foreach($demo as $ditem){
if(($ditem['a']==0)||($ditem['b']==0)||($ditem['c']==0)||($ditem['c']==0)) continue;
echo $ditem['id'].' '.$ditem['a'].' '.$ditem['b'].' '.$ditem['c'].' '.$ditem['d'].' '.$ditem['e']."<br>";
$count++;
}
echo '總行數:'.$count;