<?php // Plug-ins 64a & 64b: Sanitize String & MySQL Sanitize String
/*
* 插件说明:
* 阻止任何可能攻击服务器的意图,或者防止插入一些不需要的MySql命令、HTML语句或者Javascript脚本。
* 插件的连个函数接受一个字符串,对它进行"消毒"处理后,就可以用在自己的网站上或MySql数据库里。
* 他们都需要一个参数:
* $string 一个需要"消毒"处理的字符串。
*/
// This is an executable example with additional code supplied
// To obtain just the plug-ins please click on the Download link
$string = "& This is an 'example' string to be <b>sanitized</b><script>alert('warning');</script>";
echo "PIPHP_SanitizeString()<xmp>";
echo "Before: " . $string . "\n";
echo "After: " . PIPHP_SanitizeString($string);
echo "</xmp>";
$dbhost = 'localhost'; // Normally no need to change this
$dbname = 'piphp'; // Change to your database name
$dbuser = 'root'; // Change to your database user name
$dbpass = 'xiaonan'; // Change to your database password
mysql_connect($dbhost, $dbuser, $dbpass) or die(mysql_error());
echo "PIPHP_MySQLSanitizeString()<xmp>";
echo "Before: " . $string . "\n";
echo "After: " . PIPHP_MySQLSanitizeString($string);
echo "</xmp>";
function PIPHP_SanitizeString($string)
{
// Plug-in 64a: Sanitize String
//
// This plug-in accepts a string, which then has any
// potentially malicious characters removed from it.
// It expects this argument:
//
// $string: The string to sanitize
$string = strip_tags($string);
return htmlentities($string);
}
function PIPHP_MySQLSanitizeString($string)
{
// Plug-in 64b: MySQL Sanitize String
//
// This plug-in accepts a string, which then has any
// potentially malicious characters removed from it.
// This includes any characters that could be used to
// try and compromise a MySQL database. Only call
// this once a connection has been opened to a MySQL
// database, otherwise an error will occur. It expects
// this argument:
//
// $string: The string to sanitize
if (get_magic_quotes_gpc())
$string = stripslashes($string);
$string = PIPHP_SanitizeString($string);
return mysql_real_escape_string($string);
}
?>
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
