php防注入和XSS攻击通用过滤.

 

public $datas = null;
protected function gv($name = '') {

if ($this->datas === null) {
$postStr = file_get_contents("php://input");
$data = json_decode($postStr, true);
$this->SafeFilter($data['content']);
if (isset($data['content'])) {
$this->datas = $data['content'];
} else {
$this->datas = array();
}
}
if (!empty($name)) {
if (!empty($this->datas[$name]) || $this->datas[$name] != null) {
return $this->datas[$name];
} else {
return '';
}
} else {
return $this->datas;
}
}
//php防注入和XSS攻击过滤.
function SafeFilter(&$arr) {

$ra = Array('/([\x00-\x08,\x0b-\x0c,\x0e-\x19])/', '/script/', '/javascript/', '/vbscript/', '/expression/', '/applet/', '/meta/', '/xml/', '/blink/', '/link/', '/style/', '/embed/', '/object/',
'/frame/', '/layer/', '/title/', '/bgsound/', '/base/', '/onload/', '/onunload/', '/onchange/', '/onsubmit/', '/onreset/', '/onselect/', '/onblur/', '/onfocus/', '/onabort/',
'/onkeydown/', '/onkeypress/', '/onkeyup/', '/onclick/', '/ondblclick/', '/onmousedown/', '/onmousemove/', '/onmouseout/', '/onmouseover/', '/onmouseup/', '/onunload/');

if (is_array($arr)) {
foreach ($arr as $key => $value) {
if (!is_array($value)) {
if (!get_magic_quotes_gpc()) { //不对magic_quotes_gpc转义过的字符使用addslashes(),避免双重转义。
$value = addslashes($value); //给单引号（'）、双引号（"）、反斜线（\）与 NUL（NULL 字符）加上反斜线转义
}
$value = preg_replace($ra, '', $value); //删除非打印字符，粗暴式过滤xss可疑字符串
$arr[$key] = htmlentities(strip_tags($value)); //去除 HTML 和 PHP 标记并转换为 HTML 实体
} else {
$this->SafeFilter($arr[$key]);
}
}
}
}