/**
* 安全过滤类-通用数据过滤
* Controller中使用方法:$this->controller->fliter_escape($value)
* @param string $value 需要过滤的变量
* @return string|array
*/
function fliter_escape($value) {
if (is_array($value)) {
foreach ($value as $k => $v) {
$value[$k] = self::fliter_str($v);
}
} else {
$value = self::fliter_str($value);
}
return $value;
}
/**
* 安全过滤类-过滤javascript,css,iframes,object等不安全参数 过滤级别高
* Controller中使用方法:$this->controller->fliter_script($value)
* @param string $value 需要过滤的值
* @return string
*/
function fliter_script($value) {
$value = preg_replace("/(javascript:)?on(click|load|key|mouse|error|abort|move|unload|change|dblclick|move|reset|resize|submit)/i","&111n\\2",$value);
$value = preg_replace("/(.*?)<\/script>/si","",$value);
$value = preg_replace("/(.*?)<\/iframe>/si","",$value);
$value = preg_replace ("//iesU", '', $value);
return $value;
}
使用PHP提供的htmlentities函数过滤HTML,该函数会将所有HTML标签字符(&、<、>等)转化为对应的HTML实体,以便在应用存储层取出后安全渲染。但是有时候我们是允许用户输入某些HTML元素的,尤其是输入富文本的时候,比如图片、链接这些
注:输入数据既要验证也要过滤,以确保其符合预期且安全。
/**
* 安全过滤类-过滤HTML标签
* Controller中使用方法:$this->controller->fliter_html($value)
* @param string $value 需要过滤的值
* @return string
*/
function fliter_html($value) {
if (function_exists('htmlspecialchars')) return htmlspecialchars($value);
return str_replace(array("&", '"', "'", "<", ">"), array("&", "\"", "'", "<", ">"), $value);
}
/**
* 安全过滤类-过滤HTML标签
* Controller中使用方法:$this->controller->fliter_html($value)
* @param string $value 需要过滤的值
* @return string
*/
function fliter_html($value) {
if (function_exists('htmlspecialchars')) return htmlspecialchars($value);
return str_replace(array("&", '"', "'", "<", ">"), array("&", "\"", "'", "<", ">"), $value);
}
/**
* 安全过滤类-字符串过滤 过滤特殊有危害字符
* Controller中使用方法:$this->controller->fliter_str($value)
* @param string $value 需要过滤的值
* @return string
*/
function fliter_str($value) {
$badstr = array("\0", "%00", "\r", '&', ' ', '"', "'", "<", ">", " ", "%3C", "%3E");
$newstr = array('', '', '', '&', ' ', '"', ''', "<", ">", " ", "<", ">");
$value = str_replace($badstr, $newstr, $value);
$value = preg_replace('/&((#(\d{3,5}|x[a-fA-F0-9]{4}));)/', '&\\1', $value);
return $value;
}
/**
* 私有路劲安全转化
* Controller中使用方法:$this->controller->filter_dir($fileName)
* @param string $fileName
* @return string
*/
function filter_dir($fileName) {
$tmpname = strtolower($fileName);
$temp = array(':/',"\0", "..");
if (str_replace($temp, '', $tmpname) !== $tmpname) {
return false;
}
return $fileName;
}
/**
* 过滤目录
* Controller中使用方法:$this->controller->filter_path($path)
* @param string $path
* @return array
*/
public function filter_path($path) {
$path = str_replace(array("'",'#','=','`','$','%','&',';'), '', $path);
return rtrim(preg_replace('/(\/){2,}|(\\\){1,}/', '/', $path), '/');
}
/**
* 过滤PHP标签
* Controller中使用方法:$this->controller->filter_phptag($string)
* @param string $string
* @return string
*/
public function filter_phptag($string) {
return str_replace(array(''), array('', '?>'), $string);
}
/**
* 安全过滤类-返回函数
* Controller中使用方法:$this->controller->str_out($value)
* @param string $value 需要过滤的值
* @return string
*/
public function str_out($value) {
$badstr = array("<", ">", "%3C", "%3E");
$newstr = array("<", ">", "<", ">");
$value = str_replace($newstr, $badstr, $value);
return stripslashes($value); //下划线
}
/*
php判断文件上传类型及过滤不安全数据的方法
*/
function s_addslashes($string, $force = 0) {
if(!get_magic_quotes_gpc()) {
if(is_array($string)) {
foreach($string as $key => $val) {
$string[$key] = s_addslashes($val, $force);
}
} else {
$string=str_replace("","& # x",$string); //
//过滤一些不安全字符
$string = addslashes($string);
}
}
return $string;
}
//用法实例:
$_COOKIE = c_addslashes($_COOKIE);
$_POST = c_addslashes($_POST);
$_GET = c_addslashes($_GET);
//在公共文件中加入
if($_FILES){
foreach( $_FILES as $key => $_value )
{
$_FILES[$key]['type'] =$_value['type'];
}
if(substr($_FILES[$key]['type'],0,6) !='image/')
{
exit;
}
}
/**
* xss过滤函数
*
* @param $string
* @return string
*/
function remove_xss($string) {
$string = preg_replace('/[\x00-\x08\x0B\x0C\x0E-\x1F\x7F]+/S|<|>', '', $string);
$parm1 = Array('javascript', 'vbscript', 'expression', 'applet', 'meta', 'xml', 'blink', 'link', 'script', 'embed', 'object', 'iframe', 'frame', 'frameset', 'ilayer', 'layer', 'bgsound', 'title', 'base');
$parm2 = Array('onabort', 'onactivate', 'onafterprint', 'onafterupdate', 'onbeforeactivate',
'onbeforecopy', 'onbeforecut', 'onbeforedeactivate', 'onbeforeeditfocus', 'onbeforepaste', 'onbeforeprint', 'onbeforeunload', 'onbeforeupdate', 'onblur', 'onbounce', 'oncellchange',
'onchange', 'onclick', 'oncontextmenu', 'oncontrolselect', 'oncopy', 'oncut',
'ondataavailable', 'ondatasetchanged', 'ondatasetcomplete', 'ondblclick', 'ondeactivate',
'ondrag', 'ondragend', 'ondragenter', 'ondragleave', 'ondragover', 'ondragstart', 'ondrop',
'onerror', 'onerrorupdate', 'onfilterchange', 'onfinish', 'onfocus', 'onfocusin',
'onfocusout', 'onhelp', 'onkeydown', 'onkeypress', 'onkeyup', 'onlayoutcomplete', 'onload',
'onlosecapture', 'onmousedown', 'onmouseenter', 'onmouseleave', 'onmousemove', 'onmouseout', 'onmouseover', 'onmouseup', 'onmousewheel', 'onmove', 'onmoveend', 'onmovestart', 'onpaste',
'onpropertychange', 'onreadystatechange', 'onreset', 'onresize', 'onresizeend',
'onresizestart', 'onrowenter', 'onrowexit', 'onrowsdelete', 'onrowsinserted', 'onscroll',
'onselect', 'onselectionchange', 'onselectstart', 'onstart', 'onstop', 'onsubmit',
'onunload');
$parm = array_merge($parm1, $parm2);
for ($i = 0; $i < sizeof($parm); $i++) {
$pattern = '/';
for ($j = 0; $j < strlen($parm[$i]); $j++) {
if ($j > 0) {
$pattern .= '(';
$pattern .= '([x|X]0([9][a][b]);?)?';
$pattern .= '|(�([9][10][13]);?)?';
$pattern .= ')?';
}
$pattern .= $parm[$i][$j];
}
$pattern .= '/i';
$string = preg_replace($pattern, ' ', $string);
}
return $string;
}
/**
* 实用
* 过滤ASCII码从0-28的控制字符
* @return String
*/
function trim_unsafe_control_chars($str) {
$rule = '/[' . chr ( 1 ) . '-' . chr ( 8 ) . chr ( 11 ) . '-' . chr ( 12 ) . chr ( 14 ) . '-' . chr ( 31 ) . ']*/';
return str_replace ( chr ( 0 ), '', preg_replace ( $rule, '', $str ) );
}
echo trim_unsafe_control_chars(" asdasdas");
echo "
";
/**
* 格式化文本域内容
*
* @param $string 文本域内容
* @return string
*/
function trim_textarea($string) {
$string = nl2br ( str_replace ( ' ', ' ', $string ) );
return $string;
}
echo trim_textarea(" asc sda sdas");
echo "
";
/**
* 将文本格式成适合js输出的字符串
* @param string $string 需要处理的字符串
* @param intval $isjs 是否执行字符串格式化,默认为执行
* @return string 处理后的字符串
*/
function format_js($string, $isjs = 1) {
$string = addslashes(str_replace(array("\r", "\n", "\t"), array('', '', ''), $string));
return $isjs ? 'document.write("'.$string.'");' : $string;
}
echo format_js(" asc sda sdas");
echo "
";
/**
* 实用
* 获取当前页面完整URL地址
*/
function get_url() {
$sys_protocal = isset($_SERVER['SERVER_PORT']) && $_SERVER['SERVER_PORT'] == '443' ? 'https://' : 'http://';
$php_self = $_SERVER['PHP_SELF'] ? safe_replace($_SERVER['PHP_SELF']) : safe_replace($_SERVER['SCRIPT_NAME']);
$path_info = isset($_SERVER['PATH_INFO']) ? safe_replace($_SERVER['PATH_INFO']) : '';
$relate_url = isset($_SERVER['REQUEST_URI']) ? safe_replace($_SERVER['REQUEST_URI']) : $php_self.(isset($_SERVER['QUERY_STRING']) ? '?'.safe_replace($_SERVER['QUERY_STRING']) : $path_info);
return $sys_protocal.(isset($_SERVER['HTTP_HOST']) ? $_SERVER['HTTP_HOST'] : '').$relate_url;
}
echo get_url();
echo "
";
/**
* 实用
* 获取请求ip
*
* @return ip地址
*/
function ip() {
if(getenv('HTTP_CLIENT_IP') && strcasecmp(getenv('HTTP_CLIENT_IP'), 'unknown')) {
$ip = getenv('HTTP_CLIENT_IP');
} elseif(getenv('HTTP_X_FORWARDED_FOR') && strcasecmp(getenv('HTTP_X_FORWARDED_FOR'), 'unknown')) {
$ip = getenv('HTTP_X_FORWARDED_FOR');
} elseif(getenv('REMOTE_ADDR') && strcasecmp(getenv('REMOTE_ADDR'), 'unknown')) {
$ip = getenv('REMOTE_ADDR');
} elseif(isset($_SERVER['REMOTE_ADDR']) && $_SERVER['REMOTE_ADDR'] && strcasecmp($_SERVER['REMOTE_ADDR'], 'unknown')) {
$ip = $_SERVER['REMOTE_ADDR'];
}
return preg_match ( '/[\d\.]{7,15}/', $ip, $matches ) ? $matches [0] : '';
}
function get_cost_time() {
$microtime = microtime ( TRUE );
return $microtime - SYS_START_TIME;
}
echo ip();
echo "
";
/**
* 模板调用
*
* @param $module
* @param $template
* @param $istag
* @return unknown_type
*/
function template($module = 'content', $template = 'index', $style = '') {
if(strpos($module, 'plugin/')!== false) {
$plugin = str_replace('plugin/', '', $module);
return p_template($plugin, $template,$style);
}
$module = str_replace('/', DIRECTORY_SEPARATOR, $module);
if(!empty($style) && preg_match('/([a-z0-9\-_]+)/is',$style)) {
} elseif (empty($style) && !defined('STYLE')) {
if(defined('SITEID')) {
$siteid = SITEID;
} else {
$siteid = param::get_cookie('siteid');
}
if (!$siteid) $siteid = 1;
$sitelist = getcache('sitelist','commons');
if(!empty($siteid)) {
$style = $sitelist[$siteid]['default_style'];
}
} elseif (empty($style) && defined('STYLE')) {
$style = STYLE;
} else {
$style = 'default';
}
if(!$style) $style = 'default';
$template_cache = app_base::load_sys_class('template_cache');
$compiledtplfile = ROOT_PATH.'caches'.DIRECTORY_SEPARATOR.'caches_template'.DIRECTORY_SEPARATOR.$style.DIRECTORY_SEPARATOR.$module.DIRECTORY_SEPARATOR.$template.'.php';
if(file_exists(CODE_PATH.'templates'.DIRECTORY_SEPARATOR.$style.DIRECTORY_SEPARATOR.$module.DIRECTORY_SEPARATOR.$template.'.html')) {
if(!file_exists($compiledtplfile) || (@filemtime(CODE_PATH.'templates'.DIRECTORY_SEPARATOR.$style.DIRECTORY_SEPARATOR.$module.DIRECTORY_SEPARATOR.$template.'.html') > @filemtime($compiledtplfile))) {
$template_cache->template_compile($module, $template, $style);
}
} else {
$compiledtplfile = ROOT_PATH.'caches'.DIRECTORY_SEPARATOR.'caches_template'.DIRECTORY_SEPARATOR.'default'.DIRECTORY_SEPARATOR.$module.DIRECTORY_SEPARATOR.$template.'.php';
if(!file_exists($compiledtplfile) || (file_exists(CODE_PATH.'templates'.DIRECTORY_SEPARATOR.'default'.DIRECTORY_SEPARATOR.$module.DIRECTORY_SEPARATOR.$template.'.html') && filemtime(CODE_PATH.'templates'.DIRECTORY_SEPARATOR.'default'.DIRECTORY_SEPARATOR.$module.DIRECTORY_SEPARATOR.$template.'.html') > filemtime($compiledtplfile))) {
$template_cache->template_compile($module, $template, 'default');
} elseif (!file_exists(CODE_PATH.'templates'.DIRECTORY_SEPARATOR.'default'.DIRECTORY_SEPARATOR.$module.DIRECTORY_SEPARATOR.$template.'.html')) {
showmessage('Template does not exist.'.DIRECTORY_SEPARATOR.$style.DIRECTORY_SEPARATOR.$module.DIRECTORY_SEPARATOR.$template.'.html');
}
}
return $compiledtplfile;
}
/**
* 实用
* 转换字节数为其他单位
*
*
* @param string $filesize 字节大小
* @return string 返回大小
*/
function sizecount($filesize) {
if ($filesize >= 1073741824) {
$filesize = round($filesize / 1073741824 * 100) / 100 .' GB';
} elseif ($filesize >= 1048576) {
$filesize = round($filesize / 1048576 * 100) / 100 .' MB';
} elseif($filesize >= 1024) {
$filesize = round($filesize / 1024 * 100) / 100 . ' KB';
} else {
$filesize = $filesize.' Bytes';
}
return $filesize;
}
echo sizecount(35632454);
echo "
";
/**
* 实用
* 字符串加密、解密函数
*
*
* @param string $txt 字符串
* @param string $operation ENCODE为加密,DECODE为解密,可选参数,默认为ENCODE,
* @param string $key 密钥:数字、字母、下划线
* @param string $expiry 过期时间
* @return string
*/
function sys_auth($string, $operation = 'ENCODE', $key = '', $expiry = 0) {
$key_length = 4;
$key = md5($key != '' ? $key : app_base::load_config('system', 'auth_key'));
$fixedkey = md5($key);
$egiskeys = md5(substr($fixedkey, 16, 16));
$runtokey = $key_length ? ($operation == 'ENCODE' ? substr(md5(microtime(true)), -$key_length) : substr($string, 0, $key_length)) : '';
$keys = md5(substr($runtokey, 0, 16) . substr($fixedkey, 0, 16) . substr($runtokey, 16) . substr($fixedkey, 16));
$string = $operation == 'ENCODE' ? sprintf('%010d', $expiry ? $expiry + time() : 0).substr(md5($string.$egiskeys), 0, 16) . $string : base64_decode(substr($string, $key_length));
$i = 0; $result = '';
$string_length = strlen($string);
for ($i = 0; $i < $string_length; $i++){
$result .= chr(ord($string{$i}) ^ ord($keys{$i % 32}));
}
if($operation == 'ENCODE') {
return $runtokey . str_replace('=', '', base64_encode($result));
}
else {
if((substr($result, 0, 10) == 0 || substr($result, 0, 10) - time() > 0) && substr($result, 10, 16) == substr(md5(substr($result, 26).$egiskeys), 0, 16)) {
return substr($result, 26);
}
else
{
return '';
}
}
}
$a1 = sys_auth("liman123456789aaaaa阿萨德//dsas",'ENCODE','manasdas123',1);
echo $a1."
";
$a2 = sys_auth($a1,'DECODE','manasdas123',1);
echo $a2."
";
/**
* 查询字符是否存在于某字符串
*
* @param $haystack 字符串
* @param $needle 要查找的字符
* @return bool
*/
function str_exists($haystack, $needle)
{
return !(strpos($haystack, $needle) === FALSE);
}
echo str_exists('liman','c');
echo "
";
/**
*实用
*
* 取得文件扩展
*
* @param $filename 文件名
* @return 扩展名
*/
function fileext($filename) {
return strtolower(trim(substr(strrchr($filename, '.'), 1, 10)));
}
echo fileext('liman.c');
echo "
";
/**
* 加载模板标签缓存
* @param string $name 缓存名
* @param integer $times 缓存时间
*/
function tpl_cache($name,$times = 0) {
$filepath = 'tpl_data';
$info = getcacheinfo($name, $filepath);
if (SYS_TIME - $info['filemtime'] >= $times) {
return false;
} else {
return getcache($name,$filepath);
}
}
/**
* 写入缓存,默认为文件缓存,不加载缓存配置。
* @param $name 缓存名称
* @param $data 缓存数据
* @param $filepath 数据路径(模块名称) caches/cache_$filepath/
* @param $type 缓存类型[file,memcache,apc]
* @param $config 配置名称
* @param $timeout 过期时间
*/
function setcache($name, $data, $filepath='', $type='file', $c ='AND ', $in_column = false) {
if($in_column && is_array($data)) {
$ids = '\''.implode('\',\'', $data).'\'';
$sql = "$in_column IN ($ids)";
return $sql;
} else {
if ($front == '') {
$front = ' AND ';
}
if(is_array($data) && count($data) > 0) {
$sql = '';
foreach ($data as $key => $val) {
$sql .= $sql ? " $front $key = '$val' " : " $key = '$val' ";
}
return $sql;
} else {
return $data;
}
}
}
/**
* 判断email格式是否正确
* @param $email
*/
function is_email($email) {
return strlen($email) > 6 && preg_match("/^[\w\-\.]+@[\w\-\.]+(\.\w+)+$/", $email);
}
/**
* iconv 编辑转换
*/
if (!function_exists('iconv')) {
function iconv($in_charset, $out_charset, $str) {
$in_charset = strtoupper($in_charset);
$out_charset = strtoupper($out_charset);
if (function_exists('mb_convert_encoding')) {
return mb_convert_encoding($str, $out_charset, $in_charset);
} else {
app_base::load_sys_func('iconv');
$in_charset = strtoupper($in_charset);
$out_charset = strtoupper($out_charset);
if ($in_charset == 'UTF-8' && ($out_charset == 'GBK' || $out_charset == 'GB2312')) {
return utf8_to_gbk($str);
}
if (($in_charset == 'GBK' || $in_charset == 'GB2312') && $out_charset == 'UTF-8') {
return gbk_to_utf8($str);
}
return $str;
}
}
}
/**
* 通过id获取显示联动菜单
* @param $linkageid 联动菜单ID
* @param $keyid 菜单keyid
* @param $space 菜单间隔符
* @param $tyoe 1 返回间隔符链接,完整路径名称 3 返回完整路径数组,2返回当前联动菜单名称,4 直接返回ID
* @param $result 递归使用字段1
* @param $infos 递归使用字段2
*/
function get_linkage($linkageid, $keyid, $space = '>', $type = 1, $result = array(), $infos = array()) {
if($space=='' || !isset($space))$space = '>';
if(!$infos) {
$datas = getcache($keyid,'linkage');
$infos = $datas['data'];
}
if($type == 1 || $type == 3 || $type == 4) {
if(array_key_exists($linkageid,$infos)) {
$result[]= ($type == 1) ? $infos[$linkageid]['name'] : (($type == 4) ? $linkageid :$infos[$linkageid]);
return get_linkage($infos[$linkageid]['parentid'], $keyid, $space, $type, $result, $infos);
} else {
if(count($result)>0) {
krsort($result);
if($type == 1 || $type == 4) $result = implode($space,$result);
return $result;
} else {
return $result;
}
}
} else {
return $infos[$linkageid]['name'];
}
}
/**
* IE浏览器判断
*/
function is_ie() {
$useragent = strtolower($_SERVER['HTTP_USER_AGENT']);
if((strpos($useragent, 'opera') !== false) || (strpos($useragent, 'konqueror') !== false)) echo "no IE";
if(strpos($useragent, 'msie ') !== false) echo "yes IE";
}
is_ie();
echo "
";
/**
* 文件下载
* @param $filepath 文件路径
* @param $filename 文件名称
*/
function file_down($filepath, $filename = '') {
if(!$filename) $filename = basename($filepath);
if(is_ie()) $filename = rawurlencode($filename);
$filetype = fileext($filename);
$filesize = sprintf("%u", filesize($filepath));
if(ob_get_length() !== false) @ob_end_clean();
header('Pragma: public');
header('Last-Modified: '.gmdate('D, d M Y H:i:s') . ' GMT');
header('Cache-Control: no-store, no-cache, must-revalidate');
header('Cache-Control: pre-check=0, post-check=0, max-age=0');
header('Content-Transfer-Encoding: binary');
header('Content-Encoding: none');
header('Content-type: '.$filetype);
header('Content-Disposition: attachment; filename="'.$filename.'"');
header('Content-length: '.$filesize);
readfile($filepath);
exit;
}
/**
* 判断字符串是否为utf8编码,英文和半角字符返回ture
* @param $string
* @return bool
*/
function is_utf8($string) {
return preg_match('%^(?:
[\x09\x0A\x0D\x20-\x7E] # ASCII
| [\xC2-\xDF][\x80-\xBF] # non-overlong 2-byte
| \xE0[\xA0-\xBF][\x80-\xBF] # excluding overlongs
| [\xE1-\xEC\xEE\xEF][\x80-\xBF]{2} # straight 3-byte
| \xED[\x80-\x9F][\x80-\xBF] # excluding surrogates
| \xF0[\x90-\xBF][\x80-\xBF]{2} # planes 1-3
| [\xF1-\xF3][\x80-\xBF]{3} # planes 4-15
| \xF4[\x80-\x8F][\x80-\xBF]{2} # plane 16
)*$%xs', $string);
}
/**
* 组装生成ID号
* @param $modules 模块名
* @param $contentid 内容ID
* @param $siteid 站点ID
*/
function id_encode($modules,$contentid, $siteid) {
return urlencode($modules.'-'.$contentid.'-'.$siteid);
}
/**
* 解析ID
* @param $id 评论ID
*/
function id_decode($id) {
return explode('-', $id);
}
$id_a1 = id_encode('A','aaa','1');
echo $id_a1;
echo "
";
print_r(id_decode($id_a1));
echo "
";
/**
* 对用户的密码进行加密
* @param $password
* @param $encrypt //传入加密串,在修改密码时做认证
* @return array/password
*/
function password($password, $encrypt='') {
$pwd = array();
$pwd['encrypt'] = $encrypt ? $encrypt : create_randomstr();
$pwd['password'] = md5(md5(trim($password)).$pwd['encrypt']);
return $encrypt ? $pwd['password'] : $pwd;
}
echo password('lm123456','lm');
echo "
";
/**
* 检测输入中是否含有错误字符
*
* @param char $string 要检查的字符串名称
* @return TRUE or FALSE
*/
function is_badword($string) {
$badwords = array("\\",'&',' ',"'",'"','/','*',',','<','>',"\r","\t","\n","#");
foreach($badwords as $value){
if(strpos($string, $value) !== FALSE) {
return TRUE;
}
}
return FALSE;
}
/**
* 对数据进行编码转换
* @param array/string $data 数组
* @param string $input 需要转换的编码
* @param string $output 转换后的编码
*/
function array_iconv($data, $input = 'gbk', $output = 'utf-8') {
if (!is_array($data)) {
return iconv($input, $output, $data);
} else {
foreach ($data as $key=>$val) {
if(is_array($val)) {
$data[$key] = array_iconv($val, $input, $output);
} else {
$data[$key] = iconv($input, $output, $val);
}
}
return $data;
}
}
/**
* 生成缩略图函数
* @param $imgurl 图片路径
* @param $width 缩略图宽度
* @param $height 缩略图高度
* @param $autocut 是否自动裁剪 默认裁剪,当高度或宽度有一个数值为0是,自动关闭
* @param $smallpic 无图片是默认图片路径
*/
function thumb($imgurl, $width = 100, $height = 100 ,$autocut = 1, $smallpic = 'nopic.gif') {
global $image;
$upload_url = app_base::load_config('system','upload_url');
$upload_path = app_base::load_config('system','upload_path');
if(empty($imgurl)) return IMG_PATH.$smallpic;
$imgurl_replace= str_replace($upload_url, '', $imgurl);
if(!extension_loaded('gd') || strpos($imgurl_replace, '://')) return $imgurl;
if(!file_exists($upload_path.$imgurl_replace)) return IMG_PATH.$smallpic;
list($width_t, $height_t, $type, $attr) = getimagesize($upload_path.$imgurl_replace);
if($width>=$width_t || $height>=$height_t) return $imgurl;
$newimgurl = dirname($imgurl_replace).'/thumb_'.$width.'_'.$height.'_'.basename($imgurl_replace);
if(file_exists($upload_path.$newimgurl)) return $upload_url.$newimgurl;
if(!is_object($image)) {
app_base::load_sys_class('image','','0');
$image = new image(1,0);
}
return $image->thumb($upload_path.$imgurl_replace, $upload_path.$newimgurl, $width, $height, '', $autocut) ? $upload_url.$newimgurl : $imgurl;
}
/**
* 水印添加
* @param $source 原图片路径
* @param $target 生成水印图片途径,默认为空,覆盖原图
* @param $siteid 站点id,系统需根据站点id获取水印信息
*/
function watermark($source, $target = '',$siteid) {
global $image_w;
if(empty($source)) return $source;
if(!extension_loaded('gd') || strpos($source, '://')) return $source;
if(!$target) $target = $source;
if(!is_object($image_w)){
app_base::load_sys_class('image','','0');
$image_w = new image(0,$siteid);
}
$image_w->watermark($source, $target);
return $target;
}
/**
* 将附件地址转换为绝对地址
* @param $path 附件地址
*/
function atturl($path) {
if(strpos($path, ':/')) {
return $path;
} else {
$sitelist = getcache('sitelist','commons');
$siteid = get_siteid();
$siteurl = $sitelist[$siteid]['domain'];
$domainlen = strlen($sitelist[$siteid]['domain'])-1;
$path = $siteurl.$path;
$path = substr_replace($path, '/', strpos($path, '//',$domainlen),2);
return $path;
}
}
/**
* 生成标题样式
* @param $style 样式
* @param $html 是否显示完整的STYLE
*/
function title_style($style, $html = 1) {
$str = '';
if ($html) $str = ' style="';
$style_arr = explode(';',$style);
if (!empty($style_arr[0])) $str .= 'color:'.$style_arr[0].';';
if (!empty($style_arr[1])) $str .= 'font-weight:'.$style_arr[1].';';
if ($html) $str .= '" ';
return $str;
}
/**
* 生成上传附件验证
* @param $args 参数
* @param $operation 操作类型(加密解密)
*/
function upload_key($args) {
$pc_auth_key = md5(app_base::load_config('system','auth_key').$_SERVER['HTTP_USER_AGENT']);
$authkey = md5($args.$pc_auth_key);
return $authkey;
}
/*
验证码 类
*/
session_start();
Header("Content-type: image/gif");
class SecurityCode
{
private $codes = '';
function __construct()
{
$code = '0-1-2-3-4-5-6-7-8-9-A-B-C-D-E-F-G-H-I-J-K-L-M-N-O-P-Q-R-S-T-U-V-W-X-Y-Z';
$codeArray = explode('-',$code);
shuffle($codeArray);
$this->codes = implode('',array_slice($codeArray,0,4));
}
public function CreateImg()
{
$_SESSION['check_pic'] = $this->codes;
$img = imagecreate(70,25);
imagecolorallocate($img,222,222,222);
$testcolor1 = imagecolorallocate($img,255,0,0);
$testcolor2 = imagecolorallocate($img,51,51,51);
$testcolor3 = imagecolorallocate($img,0,0,255);
$testcolor4 = imagecolorallocate($img,255,0,255);
for ($i = 0; $i < 4; $i++)
{
imagestring($img,rand(5,6),8 + $i * 15,rand(2,8),$this->codes[$i],rand(1,4));
}
imagegif($img);
}
}
$code = new SecurityCode();
$code->CreateImg();
$code = NULL;
1、php一些安全配置
(1)关闭php提示错误功能
(2)关闭一些“坏功能”
(3)严格配置文件权限。
2、严格的数据验证,你的用户不全是“好”人
2.1为了确保程序的安全性,健壮性,数据验证应该包括内容。
2.2程序员容易漏掉point或者说需要注意的事项
3、防注入
3.1简单判断是否有注入漏洞以及原理
3.2常见的mysql注入语句
(1)不用用户名和密码
(2)在不输入密码的情况下,利用某用户
(3)猜解某用户密码
(4)插入数据时提权
(5)更新提权和插入提权同理
(6)恶意更新和删除
(7)union、join等
(8)通配符号%、_
(9)还有很多猜测表信息的注入sql
33防注入的一些方法
2.3.1 php可用于防注入的一些函数和注意事项。
2.3.2防注入字符优先级。
2.3.3防注入代码
(1)参数是数字直接用intval()函数
(2)对于非文本参数的过滤
(3)文本数据防注入代码。
(4)当然还有其他与addslashes、mysql_escape_string结合的代码。
4、防止xss攻击
4.1Xss攻击过程
4.2常见xss攻击地方
4.3防XSS方法
5、CSRF
5.1简单说明CSRF原理
5.2防范方法
6、防盗链
7、防拒CC攻击
php一些安全配置
php.ini display_errors = OFF
or
code: error_reporting(0)
在php.ini 把magic_quotes_gpc = OFF
避免和addslashes等重复转义
在php.ini 把register_globals = OFF
确保对 SQL 语句的所有用户输入进行转义。
将 PHP 的内置 mysql_real_escape_string() 函数用作任何用户输入的包装器。这个函数对字符串中的字符进行转义,使字符串不可能传递撇号等特殊字符并让 MySQL 根据特殊字符进行操作。清单 7 展示了带转义处理的代码。
不安全
$sql = “select count(*) as ctr from users where username='”.$username.”' and password='”. $pw.”' limit 1″;
安全
$sql = “select count(*) as ctr from users where username='”.mysql_real_escape_string($username).”' and password='”. mysql_real_escape_string($pw).”' limit 1″;
$Exec_Commond = "( \\s|\\S)*(exec(\\s|\\+)+(s|x)p\\w+)(\\s|\\S)*";
$Simple_XSS = "( \\s|\\S)*((%3C)|<)((%2F)|/)*[a-z0-9%]+((%3E)|>)(\\s|\\S)*";
$Eval_XSS = "( \\s|\\S)*((%65)|e)(\\s)*((%76)|v)(\\s)*((%61)|a)(\\s)*((%6C)|l)(\\s|\\S)*";
$Image_XSS = "( \\s|\\S)*((%3C)|<)((%69)|i|I|(%49))((%6D)|m|M|(%4D))((%67)|g|G|(%47))[^\\n]+((%3E)|>)(\\s|\\S)*" ;
$Script_XSS = "( \\s|\\S)*((%73)|s)(\\s)*((%63)|c)(\\s)*((%72)|r)(\\s)*((%69)|i)(\\s)*((%70)|p)(\\s)*((%74)|t)(\\s|\\S)*";
$SQL_Injection = "( \\s|\\S)*((%27)|(')|(%3D)|(=)|(/)|(%2F)|(\")|((%22)|(-|%2D){2})|(%23)|(%3B)|(;))+(\\s|\\S)*";