PHP removeXss函数代码示例

function removeXss($string)
{
    if (is_array($string)) {
        $return = array();
        foreach ($string as $key => $val) {
            $return[removeXss($key)] = removeXss($val);
        }
        return $return;
    }
    #$string = preg_replace('/<script/im','&lt;script',$string);
    $string = htmlspecialchars($string);
    return $string;
}

}
if (isset($_GET['listid'])) {
    $listid = sprintf('%d', $_GET['listid']);
} else {
    $listid = 0;
}
if (isset($_GET['find'])) {
    if (!isset($_GET['findby'])) {
        $_GET['findby'] = '';
    }
    if ($_GET['find'] == 'NULL') {
        $_SESSION['userlistfilter']['find'] = '';
        $_SESSION['userlistfilter']['findby'] = '';
    } else {
        $_SESSION['userlistfilter']['find'] = removeXss($_GET['find']);
        $_SESSION['userlistfilter']['findby'] = removeXss($_GET['findby']);
    }
} else {
    $_SESSION['userlistfilter']['find'] = '';
    $_SESSION['userlistfilter']['findby'] = '';
}
$find = $_SESSION['userlistfilter']['find'];
$findby = $_SESSION['userlistfilter']['findby'];
if (!$findby) {
    $findby = 'email';
}
$findtables = '';
$findbyselect = '';
$findfield = '';
$findfieldname = '';
$find_url = '';

<?php

ob_start();
$er = error_reporting(0);
require_once dirname(__FILE__) . '/admin/inc/unregister_globals.php';
require_once dirname(__FILE__) . '/admin/inc/magic_quotes.php';
## none of our parameters can contain html for now
$_GET = removeXss($_GET);
$_POST = removeXss($_POST);
$_REQUEST = removeXss($_REQUEST);
$_COOKIE = removeXss($_COOKIE);
if (isset($_SERVER['ConfigFile']) && is_file($_SERVER['ConfigFile'])) {
    include $_SERVER['ConfigFile'];
} elseif (is_file('config/config.php')) {
    include 'config/config.php';
} else {
    print "Error, cannot find config file\n";
    exit;
}
require_once dirname(__FILE__) . '/admin/init.php';
$GLOBALS['database_module'] = basename($GLOBALS['database_module']);
$GLOBALS['language_module'] = basename($GLOBALS['language_module']);
require_once dirname(__FILE__) . '/admin/' . $GLOBALS['database_module'];
# load default english and language
include_once dirname(__FILE__) . '/texts/english.inc';
# Allow customisation per installation
if (is_file($_SERVER['DOCUMENT_ROOT'] . '/' . $GLOBALS['language_module'])) {
    include_once $_SERVER['DOCUMENT_ROOT'] . '/' . $GLOBALS['language_module'];
}
include_once dirname(__FILE__) . '/admin/languages.php';
require_once dirname(__FILE__) . '/admin/defaultconfig.php';

<?php

ob_start();
$er = error_reporting(0);
require_once dirname(__FILE__) . '/admin/inc/unregister_globals.php';
require_once dirname(__FILE__) . '/admin/inc/magic_quotes.php';
## none of our parameters can contain html for now
$_GET = removeXss($_GET);
$_POST = removeXss($_POST);
$_REQUEST = removeXss($_REQUEST);
if (isset($_SERVER['ConfigFile']) && is_file($_SERVER['ConfigFile'])) {
    include $_SERVER['ConfigFile'];
} elseif (is_file('config/config.php')) {
    include 'config/config.php';
} else {
    print "Error, cannot find config file\n";
    exit;
}
require_once dirname(__FILE__) . '/admin/init.php';
$GLOBALS['database_module'] = basename($GLOBALS['database_module']);
$GLOBALS['language_module'] = basename($GLOBALS['language_module']);
require_once dirname(__FILE__) . '/admin/' . $GLOBALS['database_module'];
# load default english and language
include_once dirname(__FILE__) . '/texts/english.inc';
# Allow customisation per installation
if (is_file($_SERVER['DOCUMENT_ROOT'] . '/' . $GLOBALS['language_module'])) {
    include_once $_SERVER['DOCUMENT_ROOT'] . '/' . $GLOBALS['language_module'];
}
include_once dirname(__FILE__) . '/admin/languages.php';
require_once dirname(__FILE__) . '/admin/defaultconfig.php';
require_once dirname(__FILE__) . '/admin/connect.php';

    case "all":
        $subselect = "";
        break;
    case "none":
    default:
        $subselect = " where id = 0";
        break;
}
if (isset($_GET['id'])) {
    $id = sprintf('%d', $_GET['id']);
} else {
    $id = 0;
}
if (isset($_POST["save"]) || isset($_POST["activate"]) || isset($_POST["deactivate"])) {
    $owner = $_POST["owner"];
    $title = removeXss($_POST['title']);
    if (!$owner) {
        $owner = $_SESSION['logindetails']['id'];
    }
    if ($id) {
        Sql_Query(sprintf('update %s set title = "%s",owner = %d where id = %d', $tables["subscribepage"], $title, $owner, $id));
    } else {
        Sql_Query(sprintf('insert into %s (title,owner) values("%s",%d)', $tables["subscribepage"], $title, $owner));
        $id = Sql_Insert_id();
    }
    Sql_Query(sprintf('delete from %s where id = %d', $tables["subscribepage_data"], $id));
    foreach (array("title", "language_file", "intro", "header", "footer", "thankyoupage", "button", "htmlchoice", "emaildoubleentry") as $item) {
        Sql_Query(sprintf('insert into %s (name,id,data) values("%s",%d,"%s")', $tables["subscribepage_data"], $item, $id, $_POST[$item]));
    }
    foreach (array("subscribesubject", "subscribemessage", "confirmationsubject", "confirmationmessage") as $item) {
        SaveConfig("{$item}:{$id}", stripslashes($_POST[$item]), 0);

<?php 
require_once 'accesscheck.php';
$find_url = '';
$where = '';
$filter = '';
$exclude = '';
$s = 0;
if (isset($_GET['s'])) {
    $s = sprintf('%d', $_GET['s']);
}
$start = !empty($_GET['start']) ? sprintf('%d', $_GET['start']) : 0;
if (isset($_GET['filter'])) {
    $filter = removeXss($_GET['filter']);
    if (isset($_GET['exclude'])) {
        $exclude = $_GET['exclude'];
        $where = ' where page not like "%' . $filter . '%" and entry not like "%' . $filter . '%"';
        $exclude_url = '&exclude=' . sprintf('%d', $_GET["exclude"]);
    } else {
        $where = ' where page like "%' . $filter . '%" or entry like "%' . $filter . '%"';
        $exclude_url = '';
    }
    $find_url = '&amp;filter=' . urlencode($filter) . $exclude_url;
}
$order = ' order by entered desc, id desc';
if (isset($_GET['delete']) && $_GET['delete']) {
    # delete the index in delete
    $delete = sprintf('%d', $_GET['delete']);
    $_SESSION['action_result'] = $GLOBALS['I18N']->get('Deleting') . ' ' . $delete . "..\n";
    if ($require_login && !isSuperUser()) {

}
if (isset($_GET['listid'])) {
    $listid = sprintf('%d', $_GET['listid']);
} else {
    $listid = 0;
}
if (isset($_GET["find"])) {
    if (!isset($_GET['findby'])) {
        $_GET['findby'] = '';
    }
    if ($_GET["find"] == "NULL") {
        $_SESSION["userlistfilter"]["find"] = "";
        $_SESSION["userlistfilter"]["findby"] = "";
    } else {
        $_SESSION["userlistfilter"]["find"] = removeXss($_GET["find"]);
        $_SESSION["userlistfilter"]["findby"] = removeXss($_GET["findby"]);
    }
} else {
    $_SESSION["userlistfilter"]["find"] = "";
    $_SESSION["userlistfilter"]["findby"] = "";
}
$find = $_SESSION["userlistfilter"]["find"];
$findby = $_SESSION["userlistfilter"]["findby"];
if (!$findby) {
    $findby = "email";
}
# hmm interesting, if they select a findby but not a find, use the Sql wildcard:
if ($findby && !$find) {
    # this is very slow, so instead erase the findby
    #  $find = '%';
    $findby = '';

 function saveFeedback()
 {
     if (load('string')) {
         $fb_time = removeXss($this->_post('fbtime', ''));
         $fb_type = strtolower(removeXss($this->_post('fbtype', '')));
         $fb_result = removeXss($this->_post('fbresult', ''));
         $fb_content = trim(removeXss($this->_post('feedbackContent', '')));
         $fb_upload = trim($this->_post('fb_upload', ''));
         $feedbackConfig = C('feedback');
         if (!isHave($feedbackConfig['type']) || !is_array($feedbackConfig['type']) || !isHave($feedbackConfig['maxLen']) || !is_numeric($feedbackConfig['maxLen'])) {
             return $this->JsonReturn('配置信息错误');
         }
         if (!preg_match('/^[_a-z]+$/', $fb_type)) {
             return $this->JsonReturn('反馈类型错误');
         }
         if (!isHave($feedbackConfig['type'][$fb_type])) {
             return $this->JsonReturn('无该反馈类型');
         }
         if (!preg_match('/^[_a-z]+$/', $fb_result)) {
             return $this->JsonReturn('请选择正确的处理结果');
         }
         if (!isHave($feedbackConfig['result'][$fb_result])) {
             return $this->JsonReturn('无该处理结果');
         }
         if (!strtotime($fb_time)) {
             return $this->JsonReturn('时间错误');
         }
         if (strlen($fb_content) <= 0) {
             return $this->JsonReturn('请填写反馈内容，最大长度2000字符');
         }
         if (strlen($fb_content) >= $feedbackConfig['maxLen']) {
             return $this->JsonReturn('反馈内容超出限制');
         }
         /* TODO
          * 对于upload应该怎么样检查
          */
         $feedback = array('worker_uid' => steadmin::$adminInfo['user_id'], 'type' => $feedbackConfig['type'][$fb_type]['id'], 'result' => $feedbackConfig['result'][$fb_result]['id'], 'content' => $fb_content, 'fb_time' => inTime($fb_time), 'fb_upload' => $fb_upload);
         if (D('feedback')->save($feedback)) {
             return $this->JsonReturn('保存成功，可继续添加反馈', null, 1);
         } else {
             return $this->JsonReturn('保存失败');
         }
     } else {
         $this->JsonReturn('加载string函数库时发生了错误');
     }
 }

function logEvent($msg)
{
    global $tables;
    if (isset($GLOBALS['page'])) {
        $p = $GLOBALS['page'];
    } elseif (isset($_GET['page'])) {
        $p = $_GET['page'];
    } elseif (isset($_GET['p'])) {
        $p = $_GET['p'];
    } else {
        $p = 'unknown page';
    }
    $p = removeXss($p);
    if (Sql_Table_Exists($tables["eventlog"])) {
        Sql_Query(sprintf('insert into %s (entered,page,entry) values(now(),"%s","%s")', $tables["eventlog"], sql_escape($p), htmlspecialchars(sql_escape($msg))));
    }
}

function wordsFilter($content = '', $delhtmltag = false)
{
    if (empty($content)) {
        return '';
    }
    if (!$delhtmltag) {
        return htmlspecialchars(strip_tags($content));
    } else {
        load('string.fun');
        return removeXss($content);
    }
}

            $subselect = " where id = 0";
            break;
    }
}
if ($id) {
    echo "<br />" . PageLink2("members", $GLOBALS['I18N']->get('Members of this list'), "id={$id}");
}
echo "<hr />";
if (isset($_POST["save"]) && isset($_POST["listname"]) && $_POST["listname"]) {
    if ($GLOBALS["require_login"] && !isSuperUser()) {
        $owner = $_SESSION["logindetails"]["id"];
    }
    if (!isset($_POST["active"])) {
        $_POST["active"] = 0;
    }
    $_POST['listname'] = removeXss($_POST['listname']);
    if ($id) {
        $query = sprintf('update %s set name="%s",description="%s",
    active=%d,listorder=%d,prefix = "%s", owner = %d, rssfeed = "%s"
    where id=%d %s', $tables["list"], addslashes($_POST["listname"]), sql_escape($_POST["description"]), $_POST["active"], $_POST["listorder"], sql_escape($_POST["prefix"]), sql_escape($_POST["owner"]), sql_escape($_POST["rssfeed"]), $id, $subselect_and);
    } else {
        $query = sprintf('insert into %s
      (name,description,entered,listorder,owner,prefix,rssfeed,active)
      values("%s","%s",now(),%d,%d,"%s","%s",%d)', $tables["list"], sql_escape($_POST["listname"]), sql_escape($_POST["description"]), $_POST["listorder"], sql_escape($_POST["owner"]), sql_escape($_POST["prefix"]), sql_escape($_POST["rssfeed"]), $_POST["active"]);
    }
    #  print $query;
    $result = Sql_Query($query);
    if (!$id) {
        $id = sql_insert_id();
    }
    Redirect('list');

<?php

ob_start();
$er = error_reporting(0);
require_once dirname(__FILE__) . '/admin/commonlib/lib/unregister_globals.php';
require_once dirname(__FILE__) . '/admin/commonlib/lib/magic_quotes.php';
require_once dirname(__FILE__) . '/admin/init.php';
## none of our parameters can contain html for now
$_GET = removeXss($_GET);
$_POST = removeXss($_POST);
$_REQUEST = removeXss($_REQUEST);
$_SERVER = removeXss($_SERVER);
if (isset($_SERVER["ConfigFile"]) && is_file($_SERVER["ConfigFile"])) {
    #  print '<!-- using '.$_SERVER["ConfigFile"].'-->'."\n";
    include $_SERVER["ConfigFile"];
} elseif (isset($_ENV["CONFIG"]) && is_file($_ENV["CONFIG"])) {
    #  print '<!-- using '.$_ENV["CONFIG"].'-->'."\n";
    include $_ENV["CONFIG"];
} elseif (is_file("config/config.php")) {
    #  print '<!-- using config/config.php -->'."\n";
    include "config/config.php";
} else {
    print "Error, cannot find config file\n";
    exit;
}
if (0) {
    #isset($GLOBALS["developer_email"]) && $GLOBALS['show_dev_errors']) {
    error_reporting(E_ALL);
} else {
    error_reporting(0);
}

            $ls->addButton($GLOBALS['I18N']->get("reload"), $baseurl . '&tab=' . $_GET["tab"]);
        }
        $existing_criteria = $ls->display();
    } else {
        if ($messageid) {
            Sql_query(sprintf('update %s set userselection = "" where id = %d', $tables["message"], $messageid));
        }
    }
}
// end of define STACKED_ATTRIBUTES
##############################
# Stacked attributes, end
##############################
// Pull in $footer variable from post
if (isset($_POST["footer"])) {
    $footer = removeXss($_POST["footer"]);
}
// If $id wasn't passed in (if it was passed, then $_POST should have
// the database value in it already, and if it's empty, then we should
// leave it empty) and $footer is blank, load the default.
if (!$footer) {
    $footer = getConfig("messagefooter");
}
echo $errormsg;
if (!$done) {
    if (ALLOW_ATTACHMENTS) {
        $enctype = 'enctype="multipart/form-data"';
    } else {
        $enctype = '';
    }
    #$baseurl = sprintf('./?page=%s&id=%d',$_GET["page"],$_GET["id"]);