在用最简单的form表单提交的时候,如果在提交的内容的中输入<script>alert(aaa)</script>等,字符会在被查询出来的时候,弹出一个小对话框。对于这种字符的过滤,可以自定义一个函数来对提交过来的值,进行处理:
//处理提交的数据
function htmldecode($str) {
if (empty ( $str ) || "" == $str) {
return "";
}
$str = strip_tags ( $str );
$str = htmlspecialchars ( $str );
$str = nl2br ( $str );
$str = str_replace ( "?", "", $str );
$str = str_replace ( "*", "", $str );
$str = str_replace ( "!", "", $str );
$str = str_replace ( "~", "", $str );
$str = str_replace ( "$", "", $str );
$str = str_replace ( "%", "", $str );
$str = str_replace ( "^", "", $str );
$str = str_replace ( "^", "", $str );
$str = str_replace ( "select", "", $str );
$str = str_replace ( "join", "", $str );
$str = str_replace ( "union", "", $str );
$str = str_replace ( "where", "", $str );
$str = str_replace ( "insert", "", $str );
$str = str_replace ( "delete", "", $str );
$str = str_replace ( "update", "", $str );
$str = str_replace ( "like", "", $str );
$str = str_replace ( "drop", "", $str );
$str = str_replace ( "create", "", $str );
$str = str_replace ( "modify", "", $str );
$str = str_replace ( "rename", "", $str );
$str = str_replace ( "alter", "", $str );
$str = str_replace ( "cast", "", $str );
$farr = array ("//s+/", //过滤多余的空白
"/<(//?)(img|script|i?frame|style|html|body|title|link|meta|/?|/%)([^>]*?)>/isU", //过滤 <script 防止引入恶意内容或恶意代码,如果不需要插入flash等,还可以加入<object的过滤
"/(<[^>]*)on[a-zA-Z]+/s*=([^>]*>)/isU" )//过滤javascript的on事件
;
$tarr = array (" ", "", //如果要直接清除不安全的标签,这里可以留空
"" );
return $str;
}
转载请注明:码农生活-田伟博客 » <a href="https://coderlife singulair for allergies.cn/684.html”>php过滤form表单提交的危险字符(田伟博客)
第 手游基地页
24 9月 2013http://www.shouyou888.com