PHP伪静态与防注入

PHP伪静态,主要是为了隐藏传递的参数名;于网上搜索后整理伪静态四法

代码
<? php
// 伪静态方法一

// localhost/php100/test.php?id|1@action|2

$Php2Html_FileUrl   =   $_SERVER [ " REQUEST_URI " ];
echo   $Php2Html_FileUrl . " <br> " ; //  /php100/test.php?id|1@action|2
$Php2Html_UrlString   =   str_replace ( " ? " , "" , str_replace ( " / " ,   "" ,   strrchr ( strrchr ( $Php2Html_FileUrl ,   " / " ) , " ? " )));
echo   $Php2Html_UrlString . " <br> " ; //  id|1@action|2
$Php2Html_UrlQueryStrList   =   explode ( " @ " ,   $Php2Html_UrlString );
print_r ( $Php2Html_UrlQueryStrList ); //  Array ( [0] => id|1 [1] => action|2 )
echo   " <br> " ;
foreach ( $Php2Html_UrlQueryStrList   as   $Php2Html_UrlQueryStr )
{
$Php2Html_TmpArray   =   explode ( " | " ,   $Php2Html_UrlQueryStr );
print_r ( $Php2Html_TmpArray ); //  Array ( [0] => id [1] => 1 ) ; Array ( [0] => action [1] => 2 )
echo   " <br> " ;
$_GET [ $Php2Html_TmpArray [ 0 ]]  =   $Php2Html_TmpArray [ 1 ];
}
// echo '假静态:$_GET变量<br />';
print_r ( $_GET );  //  Array ( [id|1@action|2] => [id] => 1 [action] => 2 )
echo   " <br> " ;
echo   " <hr> " ;
echo   $_GET [id] . " <br> " ; //  1
echo   $_GET [action]; //  2
?>

 


代码
<? php
// 伪静态方法二

// localhost/php100/test.php/1/2

$filename   =   basename ( $_SERVER [ ' SCRIPT_NAME ' ]);
echo   $_SERVER [ ' SCRIPT_NAME ' ] . " <br> " ; //  /php100/test.php
echo   $filename . " <br> " ; //  test.php

if ( strtolower ( $filename ) == ' test.php ' ){
 
if ( ! empty ( $_GET [id])){
  
$id = intval ( $_GET [id]);
  
echo   $id . " <br> " ;
  
$action = intval ( $_GET [action]);
  
echo   $action . " <br> " ;
 }
else {
  
$nav = $_SERVER [ ' REQUEST_URI ' ];
  
echo   " 1: " . $nav . " <br> " ; //  /php100/test.php/1/2
   $script = $_SERVER [ ' SCRIPT_NAME ' ];
  
echo   " 2: " . $script . " <br> " ; //  /php100/test.php
   $nav = ereg_replace ( " ^ $script " , "" , urldecode ( $nav ));
  
echo   $nav . " <br> " //  /1/2
   $vars = explode ( " / " , $nav );
  
print_r ( $vars ); //  Array ( [0] => [1] => 1 [2] => 2 )
   echo   " <br> " ;
  
$id = intval ( $vars [ 1 ]);
  
$action = intval ( $vars [ 2 ]);
 }
 
echo   $id . ' & ' . $action ;
}
?>

 


代码
<? php
// 伪静态方法三


function  mod_rewrite(){
global   $_GET ;
$nav = $_SERVER [ " REQUEST_URI " ];
echo   $nav . " <br> " ;
$script_name = $_SERVER [ " SCRIPT_NAME " ];
echo   $script_name . " <br> " ;
$nav = substr ( ereg_replace ( " ^ $script_name " , "" , urldecode ( $nav )) , 1 );
echo   $nav . " <br> " ;
$nav = preg_replace ( " /^.ht(m){1}(l){0,1}$/ " , "" , $nav ); // 这句是去掉尾部的.html或.htm
echo   $nav . " <br> " ;
$vars   =   explode ( " / " , $nav );
print_r ( $vars );
echo   " <br> " ;
for ( $i = 0 ; $i < Count ( $vars ); $i += 2 ){
$_GET [ " $vars [ $i ] " ] = $vars [ $i + 1 ];
}
return   $_GET ;
}
mod_rewrite();
$year = $_GET [ " year " ]; // 结果为'2006'
echo   $year . " <br> " ;
$action = $_GET [ " action " ]; // 结果为'_add'
echo   $action ;
?>

 


代码
<? php
// 伪静态方法四

//利用server变量 取得PATH_INFO信息 该例中为 /1,100,8630.html   也就是执行脚本名后面的部分

if (@ $path_info   = $_SERVER [ " PATH_INFO " ]){
// 正则匹配一下参数
if ( preg_match ( " /\/(\d+),(\d+),(\d+)\.html/si " , $path_info , $arr_path )){
$gid       = intval ( $arr_path [ 1 ]);  // 取得值 1
$sid       = intval ( $arr_path [ 2 ]);    // 取得值100
$softid     = intval ( $arr_path [ 3 ]);    // 取得值8630
} else   die ( " Path:Error! " );
// 相当于soft.php?gid=1&sid=100&softid=8630
} else   die ( ' Path:Nothing! ' );
?>

 


代码
PHP防注入,主要是为了防止恶意写入后台数据库;
// 防注入函数
function  inject_check( $sql_str ){
 
$check = eregi ( ' select|insert|update|delete|\ ' | \ / \ *| \ *| \ . \ . \ /| \ . \ /| union | into | load_file
| outfile ' , $sql_str);
if($check){
 echo "输入非法内容";
 exit();
 }else{
  return $sql_str;
 }
}
//接收传递参数后进行转换
$_GET[type]=inject_check($_GET[type]);
//之后再使用转换后的参数

 

你可能感兴趣的:(PHP)