PageRenderTime 44ms CodeModel.GetById 20ms RepoModel.GetById 1ms app.codeStats 0ms

/libs/system/Filter.php

https://github.com/monkeycraps/swoole_framework
PHP | 228 lines | 165 code | 8 blank | 55 comment | 23 complexity | 0f4fa270c903cf6be0dd3d5d02cf635f MD5 | raw file
    

  1. <?php

    2. 

  2. namespace Swoole;

    3. 

  3. /**

    4. 

  4.  * 过滤类

    5. 

  5.  * 用于过滤过外部输入的数据,过滤数组或者变量中的不安全字符,以及HTML标签

    6. 

  6.  * @author Tianfeng.Han

    7. 

  7.  * @package SwooleSystem

    8. 

  8.  * @subpackage request_filter

    9. 

  9.  */

    10. 

  10. class Filter

    11. 

  11. {

    12. 

  12.     static $error_url;

    13. 

  13.     static $magic_quotes_gpc;

    14. 

  14.     public $mode;

    15. 

  15. 

    16. 

  16.     function __construct($mode='deny',$error_url=false)

    17. 

  17.     {

    18. 

  18.         $this->mode = $mode;

    19. 

  19.         self::$error_url = $error_url;

    20. 

  20.     }

    21. 

  21.     function post($param)

    22. 

  22.     {

    23. 

  23.         $this->_check($_POST,$param);

    24. 

  24.     }

    25. 

  25.     function get($param)

    26. 

  26.     {

    27. 

  27.         $this->_check($_GET,$param);

    28. 

  28.     }

    29. 

  29.     function cookie($param)

    30. 

  30.     {

    31. 

  31.         $this->_check($_COOKIE,$param);

    32. 

  32.     }

    33. 

  33.     /**

    34. 

  34.      * 根据提供的参数对数据进行检查

    35. 

  35.      * @param $data

    36. 

  36.      * @param $param

    37. 

  37.      * @return unknown_type

    38. 

  38.      */

    39. 

  39.     function _check(&$data,$param)

    40. 

  40.     {

    41. 

  41.         foreach($param as $k=>$p)

    42. 

  42.         {

    43. 

  43.             if(!isset($data[$k]))

    44. 

  44.             {

    45. 

  45.                 if(isset($p['require']) and $p['require']) self::raise('param require');

    46. 

  46.                 else continue;

    47. 

  47.             }

    48. 

  48. 

    49. 

  49.             if(isset($p['type']))

    50. 

  50.             {

    51. 

  51.                 $data[$k] = Validate::$p['type']($data[$k]);

    52. 

  52.                 if($data[$k]===false) self::raise();

    53. 

  53. 

    54. 

  54.                 //最小值参数

    55. 

  55.                 if(isset($p['min']) and is_numeric($data[$k]) and $data[$k]<$p['min']) self::raise('num too small');

    56. 

  56.                 //最大值参数

    57. 

  57.                 if(isset($p['max']) and is_numeric($data[$k]) and $data[$k]>$p['max']) self::raise('num too big');

    58. 

  58. 

    59. 

  59.                 //最小值参数

    60. 

  60.                 if(isset($p['short']) and is_string($data[$k]) and mb_strlen($data[$k])<$p['short']) self::raise('string too short');

    61. 

  61.                 //最大值参数

    62. 

  62.                 if(isset($p['long']) and is_string($data[$k]) and mb_strlen($data[$k])>$p['long']) self::raise('string too long');

    63. 

  63. 

    64. 

  64.                 //自定义的正则表达式

    65. 

  65.                 if($p['type']=='regx' and isset($p['regx']) and preg_match($p['regx'],$data[$k])===false) self::raise();

    66. 

  66.             }

    67. 

  67.         }

    68. 

  68.         //如果为拒绝模式,所有不在过滤参数$param中的键值都将被删除

    69. 

  69.         if($this->mode=='deny')

    70. 

  70.         {

    71. 

  71.             $allow = array_keys($param);

    72. 

  72.             $have = array_keys($data);

    73. 

  73.             foreach($have as $ha) if(!in_array($ha,$allow)) unset($data[$ha]);

    74. 

  74.         }

    75. 

  75.     }

    76. 

  76.     static function raise($text=false)

    77. 

  77.     {

    78. 

  78.         if(self::$error_url) Swoole_client::redirect(self::$error_url);

    79. 

  79.         if($text) exit($text);

    80. 

  80.         else exit('Web input param error!');

    81. 

  81.     }

    82. 

  82.     /**

    83. 

  83.      * 过滤$_GET $_POST $_REQUEST $_COOKIE

    84. 

  84.      * @return unknown_type

    85. 

  85.      */

    86. 

  86.     static function request()

    87. 

  87.     {

    88. 

  88.         $_POST = Filter::filter_array($_POST);

    89. 

  89.         $_GET = Filter::filter_array($_GET);

    90. 

  90.         $_REQUEST = Filter::filter_array($_REQUEST);

    91. 

  91.         $_COOKIE = Filter::filter_array($_COOKIE);

    92. 

  92.     }

    93. 

  93.     static function safe(&$content)

    94. 

  94.     {

    95. 

  95.         $content = stripslashes($content);

    96. 

  96.         $content = html_entity_decode($content, ENT_QUOTES, \Swoole::$charset);

    97. 

  97.     }

    98. 

  98.     public static function filter_var($var,$type)

    99. 

  99.     {

    100. 

  100.         switch($type)

    101. 

  101.         {

    102. 

  102.             case 'int':

    103. 

  103.                 return intval($var);

    104. 

  104.             case 'string':

    105. 

  105.                 return htmlspecialchars(strval($var),ENT_QUOTES);

    106. 

  106.             case 'float':

    107. 

  107.                 return floatval($var);

    108. 

  108.             default:

    109. 

  109.                 return false;

    110. 

  110.         }

    111. 

  111.     }

    112. 

  112.     /**

    113. 

  113.      * 过滤数组

    114. 

  114.      * @param $array

    115. 

  115.      * @return unknown_type

    116. 

  116.      */

    117. 

  117.     public static function filter_array($array)

    118. 

  118.     {

    119. 

  119.         if(!is_array($array))

    120. 

  120.         {

    121. 

  121.             return false;

    122. 

  122.         }

    123. 

  123.         $clean = array();

    124. 

  124.         foreach($array as $key=>$string)

    125. 

  125.         {

    126. 

  126.             if(is_array($string))

    127. 

  127.             {

    128. 

  128.                 self::filter_array($string);

    129. 

  129.             }

    130. 

  130.             else

    131. 

  131.             {

    132. 

  132.                 if(self::$magic_quotes_gpc and DBCHARSET=='gbk')

    133. 

  133.                 {

    134. 

  134.                     $string = stripslashes($string);

    135. 

  135.                 }

    136. 

  136.                 else

    137. 

  137.                 {

    138. 

  138.                     $string = self::escape($string);

    139. 

  139.                     $key = self::escape($key);

    140. 

  140.                 }

    141. 

  141.             }

    142. 

  142.             $clean[$key] = $string;

    143. 

  143.         }

    144. 

  144.         return $clean;

    145. 

  145.     }

    146. 

  146.     /**

    147. 

  147.      * 使输入的代码安全

    148. 

  148.      * @param $string

    149. 

  149.      * @return unknown_type

    150. 

  150.      */

    151. 

  151.     public static function escape($string)

    152. 

  152.     {

    153. 

  153.         if(is_numeric($string)) return $string;

    154. 

  154.         $string = htmlspecialchars($string,ENT_QUOTES,\Swoole::$charset);

    155. 

  155. 

    156. 

  156.         if(\Swoole::$charset=='gbk') self::gbk_addslash($string);

    157. 

  157.         else self::addslash($string);

    158. 

  158.         return $string;

    159. 

  159.     }

    160. 

  160.     /**

    161. 

  161.      * 移除HTML中的危险代码,如iframe和script

    162. 

  162.      * @param $val

    163. 

  163.      * @return unknown_type

    164. 

  164.      */

    165. 

  165.     public static function remove_xss($content,$allow='')

    166. 

  166.     {

    167. 

  167.         $danger = 'javascript,vbscript,expression,applet,meta,xml,blink,link,style,script,embed,object,iframe,frame,frameset,ilayer,layer,bgsound,title,base';

    168. 

  168.         $event = 'onabort|onactivate|onafterprint|onafterupdate|onbeforeactivate|onbeforecopy|onbeforecut|onbeforedeactivate|onbeforeeditfocus|'.

    169. 

  169.         'onbeforepaste|onbeforeprint|onbeforeunload|onbeforeupdate|onblur|onbounce|oncellchange|onchange|onclick|oncontextmenu|oncontrolselect|'.

    170. 

  170.         'oncopy|oncut|ondataavailable|ondatasetchanged|ondatasetcomplete|ondblclick|ondeactivate|ondrag|ondragend|ondragenter|ondragleave|'.

    171. 

  171.         'ondragover|ondragstart|ondrop|onerror|onerrorupdate|onfilterchange|onfinish|onfocus|onfocusin|onfocusout|onhelp|onkeydown|onkeypress|'.

    172. 

  172.         'onkeyup|onlayoutcomplete|onload|onlosecapture|onmousedown|onmouseenter|onmouseleave|onmousemove|onmouseout|onmouseover|onmouseup|'.

    173. 

  173.         'onmousewheel|onmove|onmoveend|onmovestart|onpaste|onpropertychange|onreadystatechange|onreset|onresize|onresizeend|onresizestart|'.

    174. 

  174.         'onrowenter|onrowexit|onrowsdelete|onrowsinserted|onscroll|onselect|onselectionchange|onselectstart|onstart|onstop|onsubmit|onunload';

    175. 

  175. 

    176. 

  176.         if(!empty($allow))

    177. 

  177.         {

    178. 

  178.             $allows = explode(',',$allow);

    179. 

  179.             $danger = str_replace($allow,'',$danger);

    180. 

  180.         }

    181. 

  181.         $danger = str_replace(',','|',$danger);

    182. 

  182.         //替换所有危险标签

    183. 

  183.         $content = preg_replace("/<\s*($danger)[^>]*>[^<]*(<\s*\/\s*\\1\s*>)?/is",'',$content);

    184. 

  184.         //替换所有危险的JS事件

    185. 

  185.         $content = preg_replace("/<([^>]*)($event)\s*\=([^>]*)>/is","<\\1 \\3>",$content);

    186. 

  186.         return $content;

    187. 

  187.     }

    188. 

  188.     /**

    189. 

  189.      * 过滤危险字符

    190. 

  190.      * @param $string

    191. 

  191.      * @return unknown_type

    192. 

  192.      */

    193. 

  193.     public static function addslash(&$string)

    194. 

  194.     {

    195. 

  195.         $string = addslashes($string);

    196. 

  196.     }

    197. 

  197.     /**

    198. 

  198.      * 过滤危险字符,解决GBK漏洞

    199. 

  199.      * @param $string

    200. 

  200.      * @return unknown_type

    201. 

  201.      */

    202. 

  202.     public static function gbk_addslash(&$string)

    203. 

  203.     {

    204. 

  204.         while(true)

    205. 

  205.         {

    206. 

  206.             $i = mb_strpos($text, chr(92),0,"GBK");

    207. 

  207.             if ($i === false) break;

    208. 

  208.             $T = mb_substr($text, 0, $i, "GBK") . chr(92) . chr(92);

    209. 

  209.             $text = substr($text, strlen($T) - 1);

    210. 

  210.             $OK .= $T;

    211. 

  211.         }

    212. 

  212.         $text = $OK . $text;

    213. 

  213.         $text = str_replace(chr(39), chr(92) . chr(39), $text);

    214. 

  214.         $text = str_replace(chr(34), chr(92) . chr(34), $text);

    215. 

  215.         $string = $text;

    216. 

  216.     }

    217. 

  217.     /**

    218. 

  218.      * 移除反斜杠过滤

    219. 

  219.      * @param $string

    220. 

  220.      * @return unknown_type

    221. 

  221.      */

    222. 

  222.     public static function deslash(&$string)

    223. 

  223.     {

    224. 

  224.         $string = stripslashes($string);

    225. 

  225.     }

    226. 

  226. }

    227. 

  227. 

    228. 

  228. Filter::$magic_quotes_gpc = get_magic_quotes_gpc();
    229.