首页研究院技术与艺术网页技术

PHP几种防范XSS攻击的函数 (二)

发布单位:索蓝时 发布时间:2012年4月16日 浏览次数:2159
声明:
1、为保护客户商业秘密或知识产权,部分文字、图片、声音、视频已经过处理,并非真实外观;
2、未经本公司许可,禁止以一切形式转载、摘编、复制本站的资源,本公司将追究违反上述声明者相关法律责任。

1、checkxss

网址:http://www.ggcol.com/blog/article.asp?id=272

 Function Checkxss(byVal ChkStr)

    Dim Str

    Str = ChkStr

    If IsNull(Str) Then

        CheckStr = ""

        Exit Function

    End If

    Str = Replace(Str, "&", "&")

    Str = Replace(Str, "'", "´")

    Str = Replace(Str, """", """)

        Str = Replace(Str, "<", "<")

        Str = Replace(Str, ">", ">")

        Str = Replace(Str, "/", "/")

        Str = Replace(Str, "*", "*")

    Dim re

    Set re = New RegExp

    re.IgnoreCase = True

    re.Global = True

    re.Pattern = "(w)(here)"

    Str = re.Replace(Str, "$1here")

    re.Pattern = "(s)(elect)"

    Str = re.Replace(Str, "$1elect")

    re.Pattern = "(i)(nsert)"

    Str = re.Replace(Str, "$1nsert")

    re.Pattern = "(c)(reate)"

    Str = re.Replace(Str, "$1reate")

    re.Pattern = "(d)(rop)"

    Str = re.Replace(Str, "$1rop")

    re.Pattern = "(a)(lter)"

    Str = re.Replace(Str, "$1lter")

    re.Pattern = "(d)(elete)"

    Str = re.Replace(Str, "$1elete")

    re.Pattern = "(u)(pdate)"

    Str = re.Replace(Str, "$1pdate")

    re.Pattern = "(\s)(or)"

    Str = re.Replace(Str, "$1or")

        re.Pattern = "(\n)"

    Str = re.Replace(Str, "$1or")

        '----------------------------------

        re.Pattern = "(java)(script)"

    Str = re.Replace(Str, "$1script")

        re.Pattern = "(j)(script)"

    Str = re.Replace(Str, "$1script")

        re.Pattern = "(vb)(script)"

    Str = re.Replace(Str, "$1script")

        '----------------------------------

        If Instr(Str, "e­xpression") > 0 Then

                Str = Replace(Str, "e­xpression", "e­xpression", 1, -1, 0) '防止xss注入

        End If

    Set re = Nothing

    Checkxss = Str

End Function

2、Safe_String

不能直接使用该函数,需要修改

网址:http://www.vbforums.com/showthread.php?t=587224

 function Safe_String($Str_Input$Str_Type'all'$Str_Charset'ISO-8859-1'$Bln_HTMLEntitiesfalse$Bln_SubStrfalse$Lng_MaximumLength0


        switch(
strtolower($Str_Type)): 
        case 
'english'
        case 
'e'$Str_Inputpreg_replace('/[^a-zA-Z]/i''', &$Str_Input); 
        break; 

        case 
'integer'
        case 
'i'$Str_Inputpreg_replace('/[^0-9+-]/i''', &$Str_Input); 
        break; 

        case 
'number'
        case 
'n'$Str_Inputpreg_replace('/[^0-9+.\/-]/i''', &$Str_Input); 
        break; 

        case 
'englishinteger'
        case 
'ei'$Str_Inputpreg_replace('/[^a-zA-Z0-9+-]/i''', &$Str_Input); 
        break; 

        case 
'englishnumber'
        case 
'en'$Str_Inputpreg_replace('/[^a-zA-Z0-9+.\/-]/i''', &$Str_Input); 
        break; 

        case 
'electronicmail'
        case 
'em'$Str_Inputpreg_replace('/[^a-zA-Z0-9@_.-]/i''', &$Str_Input); 
        break; 

        case 
'file'
        case 
'f'$Str_Inputpreg_replace('/[^a-zA-Z0-9+_.-]/i''', &$Str_Input); 
        break; 

        case 
'phone'
        case 
'ph'$Str_Inputpreg_replace('/[^0-9+]/i''', &$Str_Input); 
        break; 

        case 
'internetprotocol'
        case 
'ip'$Str_Inputpreg_replace('/[^0-9.:]/i''', &$Str_Input); 
        break; 
        endswitch; 

    if(
$Bln_SubStr): $Str_Inputmb_substr(&$Str_Input0, &$Lng_MaximumLength, &$Str_Charset); 
    endif; 
    if(
$Bln_HTMLEntities): $Str_Inputhtmlentities(&$Str_InputENT_COMPAT, &$Str_Charset); 
    endif; 
    unset(
$Bln_HTMLEntities$Bln_SubStr); 
    return(
$Str_Input);