一,比如留言表单输入
,姓名字段只允许提交汉字.其它字符会删除掉.并且字数限制10个字,防止被sql注入攻击.
以,编码为utf-8的
\x{4e00}-\x{9fff}代表utf8编码下的汉字编码范围.
preg_match_all('/[\x{4e00}-\x{9fff}]+/u',$_POST['gsname'], $matches);
$_POST['gsname']= join('', $matches[0]);
if(strlen($_POST['gsname'])>30){
$this->error('单位名不得超过10个汉字!');
}
//电话号码,允许出现短线符号
$_POST['mobile']= preg_replace("/[^0-9\-]/", "",$_POST['mobile']);
if(strlen($_POST['mobile'])>15){
$this->error('电话不超过15个字符!');
}
//邮箱,只允许输入个别的特殊符号,比如字母,数字.@_等
$_POST['email']= preg_replace("/[^0-9a-zA-Z\-_@\.]/", "",$_POST['email']);
if(strlen($_POST['email'])>22){
$this->error('邮箱不超过22个字符!');
}
//而对于具体的留言内容,则把特定字符直接替换为全角字符,尝试用来防攻击
$_POST['beizhu']=str_replace('%',"%" ,$_POST['beizhu']);
$_POST['beizhu']=str_replace('/',"/" ,$_POST['beizhu']);;
$_POST['beizhu']=str_replace('\\',"\" ,$_POST['beizhu']);;
$_POST['beizhu']=str_replace('.',"。" ,$_POST['beizhu']);;
$_POST['beizhu']=str_replace('>',"﹥" ,$_POST['beizhu']);;
$_POST['beizhu']=str_replace('<',"<" ,$_POST['beizhu']);;
$_POST['beizhu']=str_replace('(',"(" ,$_POST['beizhu']);;
$_POST['beizhu']=str_replace(')',")" ,$_POST['beizhu']);;
$_POST['beizhu']=str_replace('&',"&" ,$_POST['beizhu']);;
$_POST['beizhu']=str_replace('*',"*" ,$_POST['beizhu']);;
$_POST['beizhu']=str_replace('=',"=" ,$_POST['beizhu']);;
$_POST['beizhu']=str_replace('\'',"”" ,$_POST['beizhu']);;
$_POST['beizhu']=str_replace('"',"”" ,$_POST['beizhu']);;
$_POST['beizhu']=str_replace('--',"—" ,$_POST['beizhu']);;
$_POST['beizhu']=str_replace('+',"+" ,$_POST['beizhu']);;
二,会员登录合法性判断.会员用邮箱或手机号登录
$name=trim(I('name'));
$pattern = "/(&|"|<|>|\=|\'|\)|\(|\%)+/";//过滤规则
preg_match($pattern, $name, $matches);
if($matches){
echo '<script>alert("输入了非法字符!");self.location="?a=dl"; </script>';
exit;
$flag=M('myuser')->where(" (name='".$name."' and pwd='".$pwd."') or ( email='".$name."' and pwd='".$pwd."') or (s_tel='".$name."' and pwd='".$pwd."' )" )->find();
//print_r( $flag);exit;
if($flag){
//登录成功
}
}
//如果登录名是纯数字.可以要求必须输入数字
$name=I('name');
if (preg_match("/^\d*$/", $name) && strlen($name)==11 ){
// 合法,跳过
}else {
echo '<script>alert("请填11位手机号");self.location="?a=dl"; </script>';
exit;
}