کد:
/*
Copyright (c) 2005, Matt Smith
All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions
are met:
1. Redistributions of source code must retain the above copyright
notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright
notice, this list of conditions and the following disclaimer in
the documentation and/or other materials provided with the distri-
bution.
3. Neither the copyright holders nor the contributors names may be
used to endorse or promote products derived from this software
without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
POSSIBILITY OF SUCH DAMAGE.
*/
/*
safedata.class.php -- version 1.0
A class that effectively disables both register_globals and magic_quotes.
It includes wrapper functions for MySQL / MySQLi's escape string
functions and for htmlentities / htmlspecialchars that allow you to use
both strings and arrays.
It can also help with HTML forms, so you can ensure that the submitted
form values are of the correct type (int, float, string, array).
License:
Berkeley Software Distribution (revised; 3-clause)
Requirements:
PHP 4 >= 4.1.0, PHP 5
Changes:
v1.0 (October 17, 2005)
- cleaned things up a bit.
- added: safedata::__init() - as part of the clean-up,
safedata::mysqli_escape_string(), safedata::is_string()
- updated: safedata::gettype(), safedata::htmlentities_array(),
safedata::htmlspecialchars_array()
- fixed: safedata::is_float() - should now be compatible
with PHP 4 >= 4.1.0 and PHP 4 < 4.2.0
- renamed: safedata::fix_register_globals() => safedata::__disable_register_globals() - internal
safedata::fix_magic_quotes() => safedata::__disable_magic_quotes() - internal
safedata::_current_version() => safedata::__version()
safedata::_release_date() => safedata::__release()
safedata::htmlentities_array() => safedata::htmlentities()
safedata::htmlspecialchars_array() => safedata::htmlspecialchars()
- legacy: safedata::htmlentities_array(), safedata::htmlspecialchars_array()
v0.3 (April 14, 2005)
- added: safedata::is_int(), safedata::is_float(), safedata::gettype(),
safedata::_current_version(), safedata::_release_date()
v0.2 (April 7, 2005)
- safedata::mysql_escape_string() has a new argument, MySQL link_id.
- added: safedata::htmlentities_array(), safedata::htmlspecialchars_array()
v0.1 (April 3, 2005)
- initial release
Class Functions:
Internal Functions
- safedata::__init()
This is called at the end of this file, just outside of the class,
and sets up a couple things that safedata will use. This function
also calls __disable_register_globals() and __disable_magic_quotes()
for you.
- safedata::__version()
Returns a string of the current version of safedata.
- safedata::__release(optional date_format)
Returns a string of the release date of safedata.
The default date_format is 'F d, Y' -- January 1, 2001
SQL-Safe Functions
- safedata::mysql_escape_string (string/array, optional link_identifier)
When used with PHP 4 >= 4.3.0, and PHP 5, mysql_real_escape_string()
will be used, otherwise, mysql_escape_string().
It can take both strings and arrays containing strings.
- safedata::mysqli_escape_string (string/array, reference mysqli)
An object-oriented mysqli_real_escape_string() wrapper for
both strings and arrays that contain strings.
HTML-Safe Functions
- safedata::htmlentities (string/array, optional quote_style, optional charset)
- safedata::htmlspecialchars (string/array, optional quote_style, optional charset)
A wrapper for htmlentities() and htmlspecialchars() that takes
both strings and arrays containing strings.
- [LEGACY] safedata::htmlentities_array
alias of safedata::htmlentities()
- [LEGACY] safedata::htmlspecialchars_array
alias of safedata::htmlspecialchars()
Form Validation Functions
- safedata::is_int (form_variable)
Tests if the form variable is a valid integer.
- safedata::is_float (form_variable)
Tests if the form variable is a valid float.
- safedata::is_string (form_variable)
Tests if the form variable is a valid string.
- safedata::gettype (form_variable)
Returns the form variable's type.
('int', 'float', 'string', 'array', 'unknown')
How to use:
To automatically disable register_globals and magic_quotes, and enable the
use of safedata's helpful functions, simply include this class file at the
top of your script. For example:
require_once('safedata.class.php');
Then, you can use the methods of this class either statically:
$_POST = safedata::mysqli_escape_string ($_POST, &$mysqli);
or through an instantiated object:
$safedata = new safedata();
$_POST = $safedata->mysqli_escape_string ($_POST, &$mysqli);
Credits:
Created by Matt Smith and released under the BSD (3-clause) license --
this class is based on:
- The articles at the PHP Security Consortium
http://phpsec.org
- This ONLamp.com article, entitled "PHP Form Handling"
http://www.onlamp.com/pub/a/php/2004/08/26/PHPformhandling.html
- This NYPHP article
http://education.nyphp.org/phundamentals/PH_storingretrieving.php
- and PHP function comments at
http://php.net
*/
class safedata
{
// Private/Internal Functions
function __init ()
{
safedata::__disable_register_globals ();
safedata::__disable_magic_quotes ();
$phpversion = phpversion ();
$GLOBALS['__safedata__']['php4'] = version_compare ($phpversion, "5.0.0", "lt");
$GLOBALS['__safedata__']['php420'] = version_compare ($phpversion, "4.2.0", "ge");
$GLOBALS['__safedata__']['php430'] = version_compare ($phpversion, "4.3.0", "lt");
$GLOBALS['__safedata__']['version'] = '1.0';
$GLOBALS['__safedata__']['release'] = array ('month' => 10, 'day' => 17, 'year' => 2005);
}
// This gives the current version of the safedata class.
function __version ()
{
return $GLOBALS['__safedata__']['version'];
}
// This gives the release date of this version.
function __release ($datefmt = 'F d, Y')
{
extract ($GLOBALS['__safedata__']['release']);
return date ($datefmt, mktime (0, 0, 0, $month, $day, $year) );
}
// A function to fix register_globals
function __disable_register_globals ()
{
if ( ini_get ('register_globals') )
{
foreach ( array ('_ENV', '_REQUEST', '_GET', '_POST', '_COOKIE', '_SERVER') as $globalkey )
foreach ( $GLOBALS[$globalkey] as $sub_globalkey => $sub_globalval )
if ( isset ($GLOBALS[$sub_globalkey]) )
{
if ( $GLOBALS['__safedata__']['php4'] ) // PHP 4
$unset_line = "if ( !is_a (\$GLOBALS[\$sub_globalkey], 'safedata') ) { unset (\$GLOBALS[\$sub_globalkey]); }";
else // PHP 5
$unset_line = "if ( !(\$GLOBALS[\$sub_globalkey] instanceof safedata) ) { unset (\$GLOBALS[\$sub_globalkey]); }";
eval ($unset_line);
}
ini_set ('register_globals', 0);
}
}
// NYPHP's fix_magic_quotes function
// http://education.nyphp.org/phundamentals/PH_storingretrieving.php
function __disable_magic_quotes ($var = NULL, $sybase = NULL)
{
// if sybase style quoting isn't specified, use ini setting
if ( !isset ($sybase) )
{
$sybase = ini_get ('magic_quotes_sybase');
}
// if no var is specified, fix all affected superglobals
if ( !isset ($var) )
{
// if magic quotes is enabled
if ( get_magic_quotes_gpc () )
{
// workaround because magic_quotes does not change $_SERVER['argv']
$argv = isset($_SERVER['argv']) ? $_SERVER['argv'] : NULL;
// fix all affected arrays
foreach ( array ('_ENV', '_REQUEST', '_GET', '_POST', '_COOKIE', '_SERVER') as $var )
{
$GLOBALS[$var] = safedata::__disable_magic_quotes ($GLOBALS[$var], $sybase);
}
$_SERVER['argv'] = $argv;
// turn off magic quotes, this is so scripts which
// are sensitive to the setting will work correctly
ini_set ('magic_quotes_gpc', 0);
}
// disable magic_quotes_sybase
if ( $sybase )
{
ini_set ('magic_quotes_sybase', 0);
}
// disable magic_quotes_runtime
set_magic_quotes_runtime (0);
return TRUE;
}
// if var is an array, fix each element
if ( is_array ($var) )
{
foreach ( $var as $key => $val )
{
$var[$key] = safedata::__disable_magic_quotes ($val, $sybase);
}
return $var;
}
// if var is a string, strip slashes
if ( is_string ($var) )
{
return $sybase ? str_replace ('\'\'', '\'', $var) : stripslashes ($var);
}
// otherwise ignore
return $var;
}
// SQL-Safe Functions
// A mysql_[real_]escape_string() wrapper for both strings and arrays.
function mysql_escape_string ($var, $link_id = NULL)
{
if ( is_array ($var) )
{
foreach ($var as $key => $val)
$var[$key] = safedata::mysql_escape_string ($val, $link_id);
}
else
{
if ( !is_numeric ($var) )
{
if ( $GLOBALS['__safedata__']['php430'] )
return mysql_escape_string ($var);
else
return isset ($link_id) ? mysql_real_escape_string ($var, $link_id) : mysql_real_escape_string ($var);
}
}
return $var;
}
// An object-oriented mysqli_real_escape_string() wrapper for
// both strings and arrays.
function mysqli_escape_string ($var, $mysqli)
{
if ( is_array ($var) )
{
foreach ($var as $key => $val)
$var[$key] = safedata::mysqli_escape_string ($val, $mysqli);
}
else
{
if ( !is_numeric ($var) )
return $mysqli->real_escape_string ($var);
}
return $var;
}
// HTML-Safe Functions
// An htmlentities() wrapper for both strings and arrays.
function htmlentities ($var, $quote_style = ENT_COMPAT, $charset = 'ISO-8859-1')
{
if ( is_array ($var) )
{
foreach ($var as $key => $val)
$var[$key] = safedata::htmlentities ($val, $quote_style, $charset);
}
else
{
if ( !is_numeric ($var) )
return htmlentities ($var, $quote_style, $charset);
}
return $var;
}
// Legacy
function htmlentities_array ($var, $quote_style = ENT_COMPAT, $charset = 'ISO-8859-1')
{
return safedata::htmlentities ($var, $quote_style, $charset);
}
// An htmlspecialchars() wrapper for both strings and arrays.
function htmlspecialchars ($var, $quote_style = ENT_COMPAT, $charset = 'ISO-8859-1')
{
if ( is_array ($var) )
{
foreach ($var as $key => $val)
$var[$key] = safedata::htmlspecialchars ($val, $quote_style, $charset);
}
else
{
if ( !is_numeric ($var) )
return htmlspecialchars ($var, $quote_style, $charset);
}
return $var;
}
// Legacy
function htmlspecialchars_array ($var, $quote_style = ENT_COMPAT, $charset = 'ISO-8859-1')
{
return safedata::htmlspecialchars ($var, $quote_style, $charset);
}
// Form Validation Functions
// Tests for integer.
function is_int ($var)
{
if ( is_array ($var) || is_object ($var) )
return false;
return ( $var == strval (intval ($var) ) ) ? true : false;
}
// Tests for float.
function is_float ($var)
{
if ( is_array ($var) || is_object ($var) )
return false;
if ( $GLOBALS['__safedata__']['php420'] )
return ( $var == strval (floatval ($var) ) ) ? true : false;
else
return ( $var == strval (doubleval ($var) ) ) ? true : false;
}
// Tests for string.
function is_string ($var)
{
if ( is_array ($var) || is_object ($var) )
return false;
return ( $var == strval ($var) ) ? true : false;
}
// Tests for variable type and returns it's type:
// 'int', 'float, 'string', 'array', or 'unknown'
function gettype ($var)
{
if ( safedata::is_int ($var) )
return 'int';
elseif ( safedata::is_float ($var) )
return 'float';
elseif ( safedata::is_string ($var) )
return 'string';
elseif ( is_array ($var) )
return 'array';
else
return 'unknown';
}
}
// Initialize safedata
safedata::__init ();
نمي كنيد
پاسخ با نقل قول
