设置安全函数,为了方便过滤客户端传输过来的信息,使得系统更加安全。
为了自己的代码写得更加优美,我们要学会学习优秀的开源系统的代码。
以下代码摘自destoon
<?php
/*
[Destoon B2B System] Copyright (c) 2008-2014 Destoon.COM
This is NOT a freeware, use is subject to license.txt
*/
defined('IN_DESTOON') or exit('Access Denied');//是否由定义了IN_DESTOON的页面引入
function dhtmlspecialchars($string) {
if(is_array($string)) {
return array_map('dhtmlspecialchars', $string);
} else {
if(defined('DT_ADMIN')) {
return str_replace(array('&'), array('&'), htmlspecialchars($string, ENT_QUOTES));
//ENT_QUOTES –对单引号和双引号进行编码
} else {
return str_replace(array('&', '"', '"', '"'), array('&', '', '', ''), htmlspecialchars($string, ENT_QUOTES));
}
}
}
function dsafe($string) {
if(is_array($string)) {
return array_map('dsafe', $string);
} else {
$string = preg_replace("/\<\!\-\-([\s\S]*?)\-\-\>/", "", $string);//过滤注释<!--str-->
$string = preg_replace("/\/\*([\s\S]*?)\*\//", "", $string);//过滤注释/*str*/
$string = preg_replace("/&#([a-z0-9]+)([;]*)/i", "", $string);//过滤html十进制字符
if(preg_match("/&#([a-z0-9]+)([;]*)/i", $string)) return nl2br(strip_tags($string));//剥去html标签以及换行
$match = array("/s[\s]*c[\s]*r[\s]*i[\s]*p[\s]*t/i","/d[\s]*a[\s]*t[\s]*a[\s]*\:/i","/b[\s]*a[\s]*s[\s]*e/i","/e[\\\]*x[\\\]*p[\\\]*r[\\\]*e[\\\]*s[\\\]*s[\\\]*i[\\\]*o[\\\]*n/i","/i[\\\]*m[\\\]*p[\\\]*o[\\\]*r[\\\]*t/i","/on([a-z]{2,})([\(|\=|\s]+)/i","/about/i","/frame/i","/link/i","/meta/i","/textarea/i","/eval/i","/alert/i","/confirm/i","/prompt/i","/cookie/i","/document/i","/newline/i","/colon/i","/<style/i","/\\\x/i");
$replace = array("s<em></em>cript","da<em></em>ta:","ba<em></em>se","ex<em></em>pression","im<em></em>port","o<em></em>n\\1\\2","a<em></em>bout","f<em></em>rame","l<em></em>ink","me<em></em>ta","text<em></em>area","e<em></em>val","a<em></em>lert","/con<em></em>firm/i","prom<em></em>pt","coo<em></em>kie","docu<em></em>ment","new<em></em>line","co<em></em>lon","<sty1e","\<em></em>x");
return preg_replace($match, $replace, $string);//过滤一些字符串script等
}
}
function strip_sql($string) {//过滤sql关键词n对应ascii表的e(十进制是110)
$match = array("/union/i","/where/i","/outfile/i","/dumpfile/i","/0x([a-z0-9]{2,})/i","/select([\s\S]*?)from/i","/select([\s\*\/\-\(\+@])/i","/update([\s\*\/\-\(\+@])/i","/replace([\s\*\/\-\(\+@])/i","/delete([\s\*\/\-\(\+@])/i","/drop([\s\*\/\-\(\+@])/i","/load_file[\s]*\(/i","/substring[\s]*\(/i","/substr[\s]*\(/i","/left[\s]*\(/i","/concat[\s]*\(/i","/concat_ws[\s]*\(/i","/make_set[\s]*\(/i","/ascii[\s]*\(/i","/hex[\s]*\(/i","/ord[\s]*\(/i","/char[\s]*\(/i");
$replace = array('union','where','outfile','dumpfile','0x\\1','select\\1from','select\\1','update\\1','replace\\1','delete\\1','drop\\1','load_file(','substring(','substr(','left(','concat(','concat_ws(','make_set(','ascii(','hex(','ord(','char(');
return is_array($string) ? array_map('strip_sql', $string) : preg_replace($match, $replace, $string);
}
function strip_uri($uri) {
//将十六进制转成中文
if(strpos($uri, '%') !== false) {
while($uri != urldecode($uri)) {
$uri = urldecode($uri);
}
}
//过滤url中< ' " 0x
if(strpos($uri, '<') !== false || strpos($uri, "'") !== false || strpos($uri, '"') !== false || strpos($uri, '0x') !== false) {
dhttp(403, 0);//跳转
dalert('HTTP 403 Forbidden', DT_PATH);
}
}
function strip_kw($kw) {
$kw = htmlspecialchars(trim(urldecode($kw)));//把预定义字符转换为html实体,即把标签等原样输出
if($kw) {
if(strpos($kw, '%') !== false) return '';
$kw = str_replace("'", '', $kw);//过滤单引号
}
return $kw;
}
function strip_key($array, $deep = 0) {
foreach($array as $k=>$v) {
if($deep && !preg_match("/^[a-z0-9_\-]{1,}$/i", $k)) {
dhttp(403, 0);
dalert('HTTP 403 Forbidden', DT_PATH);
}
if(is_array($v)) strip_key($v, 1);//递归
}
}
function strip_str($string, $level = 0) {
return str_replace(array('\\','"', "'"), array('', '', ''), $string);//过滤 ' " \
}
?>