PHP通用防注入安全代码《转》
1 /************************* 2 说明: 3 判断传递的变量中是否含有非法字符 4 如$_POST、$_GET 5 功能: 6 防注入 7 **************************/ 8 <?php 9 //要过滤的非法字符 10 $ArrFiltrate=array("\'\'",";","union"); 11 //出错后要跳转的url,不填则默认前一页 12 $StrGoUrl=""; 13 //是否存在数组中的值 14 function FunStringExist($StrFiltrate,$ArrFiltrate){ 15 foreach ($ArrFiltrate as $key=>$value){ 16 if (eregi($value,$StrFiltrate)){ 17 return true; 18 } 19 } 20 return false; 21 } 22 //合并$_POST 和 $_GET 23 if(function_exists(array_merge)){ 24 $ArrPostAndGet=array_merge($HTTP_POST_VARS,$HTTP_GET_VARS); 25 }else{ 26 foreach($HTTP_POST_VARS as $key=>$value){ 27 $ArrPostAndGet[]=$value; 28 } 29 foreach($HTTP_GET_VARS as $key=>$value){ 30 $ArrPostAndGet[]=$value; 31 } 32 } 33 //验证开始 34 foreach($ArrPostAndGet as $key=>$value){ 35 if (FunStringExist($value,$ArrFiltrate)){ 36 echo "<script language=\\"javascript\\">alert(\\"Neeao提示,非法字符\\");</script>"; 37 if (empty($StrGoUrl)){ 38 echo "<script language=\\"javascript\\">history.go(-1);</script>"; 39 }else{ 40 echo "<script language=\\"javascript\\">window.location=\\"".$StrGoUrl."\\";</script>"; 41 } 42 exit; 43 } 44 } 45 ?>
保存为checkpostandget.php
然后在每个php文件前加include(“checkpostandget.php“);即可