我是編程和PHP領域的新手,因此想要了解清理表單數據以避免格式不正確的頁面,代碼注入等的最佳方式。我在下面的示例中找到了示例腳本嗎?PHP淨化數據
代碼最初發佈於http://codeassembly.com/How-to-sanitize-your-php-input/
/**
* Sanitize only one variable .
* Returns the variable sanitized according to the desired type or true/false
* for certain data types if the variable does not correspond to the given data type.
*
* NOTE: True/False is returned only for telephone, pin, id_card data types
*
* @param mixed The variable itself
* @param string A string containing the desired variable type
* @return The sanitized variable or true/false
*/
function sanitizeOne($var, $type)
{
switch ($type) {
case 'int': // integer
$var = (int) $var;
break;
case 'str': // trim string
$var = trim ($var);
break;
case 'nohtml': // trim string, no HTML allowed
$var = htmlentities (trim ($var), ENT_QUOTES);
break;
case 'plain': // trim string, no HTML allowed, plain text
$var = htmlentities (trim ($var) , ENT_NOQUOTES) ;
break;
case 'upper_word': // trim string, upper case words
$var = ucwords (strtolower (trim ($var)));
break;
case 'ucfirst': // trim string, upper case first word
$var = ucfirst (strtolower (trim ($var)));
break;
case 'lower': // trim string, lower case words
$var = strtolower (trim ($var));
break;
case 'urle': // trim string, url encoded
$var = urlencode (trim ($var));
break;
case 'trim_urle': // trim string, url decoded
$var = urldecode (trim ($var));
break;
case 'telephone': // True/False for a telephone number
$size = strlen ($var) ;
for ($x=0;$x<$size;$x++)
{
if (! ((ctype_digit($var[$x]) || ($var[$x]=='+') || ($var[$x]=='*') || ($var[$x]=='p'))))
{
return false;
}
}
return true;
break;
case 'pin': // True/False for a PIN
if ((strlen($var) != 13) || (ctype_digit($var)!=true))
{
return false;
}
return true;
break;
case 'id_card': // True/False for an ID CARD
if ((ctype_alpha(substr($var , 0 , 2)) != true) || (ctype_digit(substr($var , 2 , 6)) != true) || (strlen($var) != 8))
{
return false;
}
return true;
break;
case 'sql': // True/False if the given string is SQL injection safe
// insert code here, I usually use ADODB -> qstr() but depending on your needs you can use mysql_real_escape();
return mysql_real_escape_string($var);
break;
}
return $var;
}
它看起來非常有用。雖然'htmlentities'應該被替換爲'htmlspecialchars'並聲明字符集參數。 – mario 2011-05-02 23:26:40