Halaman utama Jelajahi Bantuan
Daftar Masuk
gyfl
/
xyzshop
2
0
Fork 0
Berkas Masalah 0 Tarik Permintaan 0 Wiki
Pohon: a978b4536c
Ranting Tag
xyzshop
/
core
/
framework
/
libraries
/
security.php

security.php 2.9 KB
Riwayat Mentahan

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110 
  1. <?php
    2. 

  2. /**
    3. 

  3.  * 安全防范
    4. 

  4.  * 进行sql注入过滤,xss过滤和csrf过滤
    5. 

  5.  * 
    6. 

  6.  * 令牌调用方式
    7. 

  7.  * 输出:直接在模板上调用getToken
    8. 

  8.  * 验证:在验证位置调用checkToken
    9. 

  9.  *
    10. 

  10.  * @package    
    11. 

  11.  */
    12. 

  12. defined('InShopNC') or exit('Access Invalid!');
    13. 

  13. 

  14. class Security{
    15. 

  15. 	/**
    16. 

  16. 	 * 取得令牌内容
    17. 

  17. 	 * 自动输出html 隐藏域
    18. 

  18. 	 *
    19. 

  19. 	 * @param 
    20. 

  20. 	 * @return void 字符串形式的返回结果
    21. 

  21. 	 */
    22. 

  22. 	public static function getToken(){
    23. 

  23. 		$token = encrypt(TIMESTAMP,md5(MD5_KEY));
    24. 

  24. 		echo "<input type='hidden' name='formhash' value='". $token ."' />";
    25. 

  25. 	}
    26. 

  26. 	public static function getTokenValue(){
    27. 

  27.         return encrypt(TIMESTAMP,md5(MD5_KEY));
    28. 

  28. 	}
    29. 

  29. 

  30. 	/**
    31. 

  31. 	 * 判断令牌是否正确
    32. 

  32. 	 * 
    33. 

  33. 	 * @param 
    34. 

  34. 	 * @return bool 布尔类型的返回结果
    35. 

  35. 	 */
    36. 

  36. 	public static function checkToken(){
    37. 

  37. 		$data = decrypt($_POST['formhash'],md5(MD5_KEY));
    38. 

  38. 		return $data && (TIMESTAMP - $data < 5400);
    39. 

  39. 	}
    40. 

  40. 

  41. 	/**
    42. 

  42. 	 * 将字符 & " < > 替换
    43. 

  43. 	 *
    44. 

  44. 	 * @param unknown_type $string
    45. 

  45. 	 * @return unknown
    46. 

  46. 	 */
    47. 

  47. 	public static function fliterHtmlSpecialChars($string) {
    48. 

  48. 		$string = preg_replace('/&amp;((#(\d{3,5}|x[a-fA-F0-9]{4})|[a-zA-Z][a-z0-9]{2,5});)/', '&\\1',
    49. 

  49. 				str_replace(array('&', '"', '<', '>'), array('&amp;', '&quot;', '&lt;', '&gt;'), $string));
    50. 

  50. 		return $string;
    51. 

  51. 	}
    52. 

  52. 

  53. 	/**
    54. 

  54. 	 * 参数过滤
    55. 

  55. 	 *
    56. 

  56. 	 * @param array 参数内容
    57. 

  57. 	 * @param array $ignore 被忽略过滤的元素
    58. 

  58. 	 * @return array 数组形式的返回结果
    59. 

  59. 	 * 
    60. 

  60. 	 */
    61. 

  61. 	public static function getAddslashesForInput($array,$ignore=array()){
    62. 

  62.         if (!function_exists('htmlawed')) require(BASE_CORE_PATH.'/framework/function/htmlawed.php');
    63. 

  63. 		if (!empty($array)){
    64. 

  64. 			while (list($k,$v) = each($array)) {
    65. 

  65. 				if (is_string($v)) {
    66. 

  66.                     if (get_magic_quotes_gpc()) {
    67. 

  67.                         $v = stripslashes($v);
    68. 

  68.                     }		
    69. 

  69. 					if($k != 'statistics_code') {
    70. 

  70. 						if (!in_array($k,$ignore)){
    71. 

  71. 							//如果不是编辑器,则转义< > & "
    72. 

  72.                             $v = self::fliterHtmlSpecialChars($v);
    73. 

  73.                         } else {
    74. 

  74.                             $v = htmlawed($v,array('safe'=>1));
    75. 

  75.                         }
    76. 

  76.                         if($k == 'ref_url') {
    77. 

  77.                             $v = str_replace('&amp;','&',$v);
    78. 

  78.                         }
    79. 

  79. 					}
    80. 

  80. 					$array[$k] = addslashes(trim($v));
    81. 

  81. 				} else if (is_array($v))  {
    82. 

  82. 					if($k == 'statistics_code') {
    83. 

  83. 						$array[$k] = $v;
    84. 

  84. 					} else {
    85. 

  85. 						$array[$k] = self::getAddslashesForInput($v);
    86. 

  86. 					}
    87. 

  87. 				}
    88. 

  88. 			}
    89. 

  89. 			return $array;
    90. 

  90. 		}else {
    91. 

  91. 			return false;
    92. 

  92. 		}
    93. 

  93. 	}
    94. 

  94. 	public static function getAddSlashes($array){
    95. 

  95. 		if (!empty($array)){
    96. 

  96. 			while (list($k,$v) = each($array)) {
    97. 

  97. 				if (is_string($v)) {
    98. 

  98. 					if (!get_magic_quotes_gpc()) {
    99. 

  99. 						$v = addslashes($v);
    100. 

  100. 					}
    101. 

  101. 				} else if (is_array($v))  {
    102. 

  102. 					$array[$k] = self::getAddSlashes($v);
    103. 

  103. 				}
    104. 

  104. 			}
    105. 

  105. 			return $array;
    106. 

  106. 		}else {
    107. 

  107. 			return false;
    108. 

  108. 		}
    109. 

  109. 	}
    110. 

  110. }
    111.