safe_str()人工修复通知 一定要修复
时间:2016-08-01
打开 ./config/functions.php
搜索 safe_str() 及 de_safe_str()
把它们替换成如下:
搜索 safe_str() 及 de_safe_str()
把它们替换成如下:
//PHP过虑禁用字符,入数据库前(PHP代码/函数)
function safe_str($str,$replace_script=true,$allow_html=true){
$array=array('-receive.php-','-select-','-insert-','-update-','-delete-','-union-','-into-','-load_file-','-outfile-','-@SQL-','-0x-');
if(!is_array($str)){
foreach($array as $v){
$str=preg_replace("#({$v})#iU","-\${1}-",$str);
}
//$str=preg_replace("![][xX]([A-Fa-f0-9])!","x \${1}",$str);`
$str=str_replace("'",''',$str);
$str=str_replace('"','"',$str);
$str=str_replace("--",'--',$str);
$str=str_replace("\-*",'\-*',$str);
$str=str_replace("\\",'\',$str);
if($replace_script){
$str = preg_replace("/<script/iUs", "<monxin_script", $str);
$str = preg_replace("/script>/iUs", "monxin_script>", $str);
}
if(!$allow_html){$str=htmlspecialchars($str);}
$r=$str;
}else{
$r=array();
foreach($str as $key=>$value){
//$key=safe_str($key);
$r[$key]=safe_str($value,$replace_script,$allow_html);
}
}
return $r;
}
//PHP还原禁用字符,出数据库后(PHP代码/函数)
function de_safe_str($str){
$array=array('-receive.php-','-select-','-insert-','-update-','-delete-','-union-','-into-','-load_file-','-outfile-','-@SQL-','-0x-');
if(!is_array($str)){
foreach($array as $v){
$str=preg_replace("#-({$v})-#i","\${1}",$str);
}
//$str=preg_replace("![][xX]([A-Fa-f0-9])!","x \${1}",$str);
$str=str_replace("'","'",$str);
$str=str_replace('"','"',$str);
$str=str_replace('--',"--",$str);
$str=str_replace("\-*",'\-*',$str);
$str=str_replace('\',"\\",$str);
$r=$str;
}else{
$r=array();
foreach($str as $key=>$value){
//$key=de_safe_str($key);
$r[$key]=de_safe_str($value);
}
}
return $r;
}
