function anti_injection($user, $pass, $ip) { global $db; // We'll first get rid of any special characters using a simple regex statement. // After that, we'll get rid of any SQL command words using a string replacment. $banlist = array("'", "--", "select", "union", "insert", "update", "like", "delete", "distinct", "having", "truncate", "replace", "handler", " as ", "or ", "procedure", "limit", "order by", "group by", "asc", "desc", "1=1", "or", "#", "//", "' or '1'='1'", "'1'='1'"); // --------------------------------------------- if (preg_match("/[a-zA-Z0-9]+/i", $user)) { $user = TRIM(STR_REPLACE($banlist, '', STRTOLOWER($user))); } else { $user = NULL; } // --------------------------------------------- // Now to make sure the given password is an alphanumerical string // devoid of any special characters. strtolower() is being used // because unfortunately, str_ireplace() only works with PHP5. if (preg_match("/[a-zA-Z0-9]+/i", $pass)) { $pass = TRIM(STR_REPLACE($banlist, '', STRTOLOWER($pass))); } else { $pass = NULL; } // --------------------------------------------- // Now to make an array so we can dump these variables into the SQL query. // If either user or pass is NULL (because of inclusion of illegal characters), // the whole script will stop dead in its tracks. $array = array('user' => $user, 'pass' => $pass); // --------------------------------------------- if (!IN_ARRAY(NULL, $array)) { return $array; } }
public function validacompra($attribute, $params) { $ordencompra = Ocompra::model()->findAll("numcot=:voi", array(":voi" => trim($this->numdocref))); /* var_dump($ordencompra); yii::app()->end();*/ if (count($ordencompra) == 0) { $this->adderror('numdocref', 'Esta orden de compra no existe'); } else { if (IN_ARRAY($ordencompra[0]->codestado, array(ESTADO_OC_CREADA, ESTADO_OC_PREVIO, ESTADO_OC_MODIFICADA, ESTADO_OC_ANULADA))) { $this->adderror('numdocref', 'La Orden de Compra no tiene el status adecuado '); } } //verificando el estado //$ordencompra->codestado }
function anti_injection($user, $pass, $ip) { global $db; // We'll first get rid of any special characters using a simple regex statement. // After that, we'll get rid of any SQL command words using a string replacment. $banlist = array("'", "--", "select", "union", "insert", "update", "like", "delete", "distinct", "having", "truncate", "replace", "handler", " as ", "or ", "procedure", "limit", "order by", "group by", "asc", "desc", "1=1", "or", "#", "//", "' or '1'='1'", "'1'='1'"); // --------------------------------------------- if (preg_match("/[a-zA-Z0-9]+/i", $user)) { $user = TRIM(STR_REPLACE($banlist, '', STRTOLOWER($user))); } else { $user = NULL; } // --------------------------------------------- // Now to make sure the given password is an alphanumerical string // devoid of any special characters. strtolower() is being used // because unfortunately, str_ireplace() only works with PHP5. if (preg_match("/[a-zA-Z0-9]+/i", $pass)) { $pass = TRIM(STR_REPLACE($banlist, '', STRTOLOWER($pass))); } else { $pass = NULL; } // --------------------------------------------- // Now to make an array so we can dump these variables into the SQL query. // If either user or pass is NULL (because of inclusion of illegal characters), // the whole script will stop dead in its tracks. $array = array('user' => $user, 'pass' => $pass); // --------------------------------------------- if (IN_ARRAY(NULL, $array)) { /* $db->connectdb(DB_NAME,DB_USERNAME,DB_PASSWORD); $db->add_db(TB_IPBLOCK,array( "ip"=>"".$ip."", "post_date"=>"".time()."" )); $db->closedb (); ?> <BR><BR> <CENTER><A HREF="?name=index"><IMG SRC="images/dangerous.png" BORDER="0"></A><BR><BR> <FONT COLOR="#336600"><B><?=_ADMIN_IPBLOCK_MESSAGE_HACK;?> <?=WEB_EMAIL;?></B></FONT><BR><BR> <A HREF="?name=index"><B><?=_ADMIN_IPBLOCK_MESSAGE_HACK1;?></B></A> </CENTER> <?php echo "<meta http-equiv='refresh' content='10; url=?name=index'>" ; ?> <BR><BR> <?php */ } else { return $array; } }
public function get_htmltag_outerText(&$html, $htmltag) { $from = '<' . $htmltag; $fromend = '>'; $to = '</' . $htmltag . '>'; $selfend = array('img', 'br'); //自闭合标记,self end htmltag if (IN_ARRAY($htmltag, $selfend)) { $to = '/>'; $strleft = STRSTR($html, $from); $j = 0; while ($strleft != '') { $topos = STRPOS($strleft, $to); $tagouterText[] = SUBSTR($strleft, 0, $topos + STRLEN($to)); $html = SUBSTR($strleft, $topos + STRLEN($to)); //echo $taginnerText[0];echo $html;die; $strleft = STRSTR($html, $from); } //end while } else { //echo "转换标记:".$htmltag."n<br>";//$i=0; $strleft = STRSTR($html, $from); while ($strleft != '') { $topos = STRPOS($strleft, $to); $fromendpos = STRPOS($strleft, $fromend); $tagouterText[] = SUBSTR($strleft, 0, $topos + STRLEN($to)); $html = SUBSTR($strleft, $topos + STRLEN($to)); //echo $taginnerText[0];echo $html;die; $strleft = STRSTR($html, $from); } //end while } //end else not self end htmltag,非自闭合标记处理结束 return $tagouterText; }
$user = USER::VERIFY(0, TRUE); $params = array($user['user_id'], 0); $b = MYSQL::QUERY('SELECT * FROM core_messages WHERE m_to = ? AND m_read = ? ORDER BY m_sent ASC LIMIT 5', $params); if ($user['bronze_medals'] >= 100 || $user['silver_medals'] >= 100) { if ($user['bronze_medals'] >= 100) { $br = $user['bronze_medals'] % 100; $user['bronze_medals'] = $br; $user['silver_medals']++; } if ($user['silver_medals'] >= 100) { $sr = $user['silver_medals'] % 100; $user['silver_medals'] = $sr; $user['gold_medals']++; } MYSQL::QUERY('UPDATE core_users SET gold_medals=?,silver_medals=?,bronze_medals=? WHERE user_id=? LIMIT 1', array($user['gold_medals'], $user['silver_medals'], $user['bronze_medals'], $user['user_id'])); } if (!empty($b)) { $message = array("NA" => "message", "messages" => array(), "gold" => $user['gold_medals'], "silver" => $user['silver_medals'], "bronze" => $user['bronze_medals']); foreach ($b as $m) { $message['messages'][] = array("from" => $m['m_from'], "message" => $m['m_message'], "avatar" => $m['m_from_avatar'], "time" => date("h:i A M,d", strtotime($m['m_sent']))); $DL_FROM = array("Price Request", "Price Response", "LeaderBoard Reward", "Achievement Earned", "Purge"); if (IN_ARRAY($m['m_from'], $DL_FROM)) { MYSQL::QUERY('DELETE FROM core_messages WHERE m_id = ? LIMIT 1', array($m['m_id'])); } else { MYSQL::QUERY('UPDATE core_messages SET m_read = ? WHERE m_id = ? LIMIT 1', array(1, $m['m_id'])); } } echo json_encode($message); } else { echo json_encode(array("NA" => "false", "messages" => array(), "gold" => $user['gold_medals'], "silver" => $user['silver_medals'], "bronze" => $user['bronze_medals'])); }