$val = preg_replace( "/&/" , "&" , $val );
$val = preg_replace( "/<!--/" , "<!--" , $val );
$val = preg_replace( "/-->/" , "-->" , $val );
$val = preg_replace( "/<script/i" , "<script" , $val );
$val = preg_replace( "/>/" , ">" , $val );
$val = preg_replace( "/</" , "<" , $val );
$val = preg_replace( "/\"/" , """ , $val );
$val = preg_replace( "/\|/" , "|" , $val );
$val = preg_replace( "/\n/" , "<br>" , $val ); // Convert literal newlines
$val = preg_replace( "/\\\$/" , "$" , $val );
$val = preg_replace( "/\r/" , "" , $val ); // Remove literal carriage returns
$val = preg_replace( "/!/" , "!" , $val );
$val = preg_replace( "/'/" , "'" , $val ); // IMPORTANT: It helps to increase sql query safety.
$val = stripslashes($val); // Swop PHP added backslashes
$val = preg_replace( "/\\\/" , "\" , $val ); // Swop user inputted backslashes
$val = preg_replace( "/<!--/" , "<!--" , $val );
$val = preg_replace( "/-->/" , "-->" , $val );
$val = preg_replace( "/<script/i" , "<script" , $val );
$val = preg_replace( "/>/" , ">" , $val );
$val = preg_replace( "/</" , "<" , $val );
$val = preg_replace( "/\"/" , """ , $val );
$val = preg_replace( "/\|/" , "|" , $val );
$val = preg_replace( "/\n/" , "<br>" , $val ); // Convert literal newlines
$val = preg_replace( "/\\\$/" , "$" , $val );
$val = preg_replace( "/\r/" , "" , $val ); // Remove literal carriage returns
$val = preg_replace( "/!/" , "!" , $val );
$val = preg_replace( "/'/" , "'" , $val ); // IMPORTANT: It helps to increase sql query safety.
$val = stripslashes($val); // Swop PHP added backslashes
$val = preg_replace( "/\\\/" , "\" , $val ); // Swop user inputted backslashes
在输出之前要stripslashes($val)
是不是对用户提交的每一个数据都要进行上面所有的安全转换呢?
提供一下汉化吧?
literal newlines
literal carriage returns
added backslashes
inputted backslashes
我e文很差,不懂呀?
大家看一下这个函数合理吗?
function slashescode($val,$action)
{
$mg_state = get_magic_quotes_gpc();
switch ($action)
{
case "addslashes"://转换编码
$val = preg_replace( "/&/" , "&" , $val );
$val = preg_replace( "/<!--/" , "<!--" , $val );
$val = preg_replace( "/-->/" , "-->" , $val );
$val = preg_replace( "/<script/i" , "<script" , $val );
$val = preg_replace( "/>/" , ">" , $val );
$val = preg_replace( "/</" , "<" , $val );
$val = preg_replace( "/\"/" , """ , $val );
$val = preg_replace( "/\|/" , "|" , $val );
$val = preg_replace( "/\n/" , "<br>" , $val );
$val = preg_replace( "/\\\$/" , "$" , $val );
$val = preg_replace( "/\r/" , "" , $val ); // Remove literal
$val = preg_replace( "/!/" , "!" , $val );
$val = preg_replace( "/'/" , "'" , $val )
$val = $action($val);
$mg_state = 1;
break;
case "stripslashes"://解码
if($mg_state)
$val = $action($val);
$mg_state = 0;
break;
}
}
在解码时还需要那些?