<?php
/*************************
说明:
判断传递的变量中是否含有非法字符
如$_POST、$_GET
功能: 防注入
*************************/
//要过滤的非法字符
$ArrFiltrate=array("'","%","#","<",">","or","and","union","where","select","update","chr","delete","%20from",";","insert","mid","master","set","chr(37)","iframe","script","javascript","vbscript","exec");
//出错后要跳转的url,不填则默认前一页
$StrGoUrl="Err.php";
//是否存在数组中的值
function FunStringExist($StrFiltrate,$ArrFiltrate){
foreach ($ArrFiltrate as $key=>$value){
echo "<script language='javascript'>console.log('正在判断表单 ".$StrFiltrate." 的值中是否存在".$value."子串')</script>";
if (substr_count($StrFiltrate,$value)>=1){
return true;
}
}
return false;
}
//合并$_POST 和 $_GET
$ArrPostAndGet=array();
foreach($_POST as $key=>$value){
$ArrPostAndGet[$key]=$value;
}
foreach($_GET as $key=>$value){
$ArrPostAndGet[$key]=$value;
}
//验证开始
foreach($ArrPostAndGet as $key=>$value){
echo "<script language='javascript'>console.log('正在检验表单 ".$key." 的值')</script>";
if (FunStringExist($value,$ArrFiltrate)){
echo "<script language='javascript'>alert('出错了!表单 ".$key." 的值中包含非法字符串!\\n\\n请不要在表单中出现: % & * # ( ) 等非法字符!');</script>";
if (empty($StrGoUrl)){
echo "<script language='javascript'>history.go(-1);</script>";
}else{
echo "<script language='javascript'>window.location='".$StrGoUrl."';</script>";
}
exit;
}
}
/***************结束防止PHP注入*****************/
?>
PHP&MySQL——防止SQL注入-代码片段
最新推荐文章于 2021-03-25 01:01:55 发布