PHP使用preg_match检测URL中的标签

Question

I am trying to add a layer of security on top of my prepared statements by adding:

if (preg_match('#[@*,!$\'\-;:~`^|\(\\)\\{\\}\\[\\]]#i', $_SERVER['REQUEST_URI']) || strpos($_SERVER['REQUEST_URI'],'script')) { 
    echo 'Cannot do that';
}

I tried adding ([\\<])([^\\>]{1,})*([\\>]) into there but it didn't work. I also tried adding a condition if strcmp($_SERVER['REQUEST_URI'], strip_tags($_SERVER['REQUEST_URI'])) != 0

and when i added into the url, it didn't do anything

any help is appreciated!

Answer 1

You don't need to validate the URL. It seems that you are trying to prevent XSS - for this you should make sure you are escaping the output, not to validate the URL. If you really want to block requests with html in the url, than you can look at some ready to use solutions such as mod_security

Answer 2

The first is the tag you'd like to match, and the second is the variable containing the XML or HTML. Once again, this can be very powerful used along with cURL.

function get_tag( $tag, $xml ) {
  $tag = preg_quote($tag);
  preg_match_all('{<'.$tag.'[^>]*>(.*?)</'.$tag.'>.'}',
                   $xml,
                   $matches,
                   PREG_PATTERN_ORDER);

  return $matches[1];
}

Matching an XHTML/XML tag with a certain attribute value

This function is very similar to the previous one, but it allow you to match a tag having a specific attribute. For example, you could easily match .

function get_tag( $attr, $value, $xml, $tag=null ) {
  if( is_null($tag) )
    $tag = '\w+';
  else
    $tag = preg_quote($tag);

  $attr = preg_quote($attr);
  $value = preg_quote($value);

  $tag_regex = "/<(".$tag.")[^>]*$attr\s*=\s*".
                "(['\"])$value\\2[^>]*>(.*?)<\/\\1>/"

  preg_match_all($tag_regex,
                 $xml,
                 $matches,
                 PREG_PATTERN_ORDER);

  return $matches[3];
}