define("XH_PARAM_INT",0);
define("XH_PARAM_TXT",1);
function PAPI_GetSafeParam($pi_strName, $pi_Def = "", $pi_iType = XH_PARAM_TXT)
{
  if ( isset($_GET[$pi_strName]) ) 
    $t_Val = trim($_GET[$pi_strName]);
  else if ( isset($_POST[$pi_strName]))
    $t_Val = trim($_POST[$pi_strName]);
  else 
    return $pi_Def;

  // INT
  if ( XH_PARAM_INT == $pi_iType)
  {
    if (is_numeric($t_Val))
      return $t_Val;
    else
      return $pi_Def;
  }
  
  // String
  $t_Val = str_replace("&", "&",$t_Val); 
  $t_Val = str_replace("<", "<",$t_Val);
  $t_Val = str_replace(">", ">",$t_Val);
  if ( get_magic_quotes_gpc() )
  {
    $t_Val = str_replace("\\\"", """,$t_Val);
    $t_Val = str_replace("\\''", "'",$t_Val);
  }
  else
  {
    $t_Val = str_replace("\"", """,$t_Val);
    $t_Val = str_replace("'", "'",$t_Val);
  }
  return $t_Val;
}

ÔÚÕâ¸öº¯ÊýÖУ¬ÓÐÈý¸ö²ÎÊý£º

$pi_strName: ±äÁ¿Ãû
$pi_Def: ĬÈÏÖµ
$pi_iType: Êý¾ÝÀàÐÍ¡£È¡ÖµÎª XH_PARAM_INT, XH_PARAM_TXT, ·Ö±ð±íʾÊýÖµÐͺÍÎı¾ÐÍ¡£

¡¡Èç¹ûÇëÇóÊÇÊýÖµÐÍ£¬ÄÇôµ÷Óà is_numeric() ÅжÏÊÇ·ñΪÊýÖµ¡£Èç¹û²»ÊÇ£¬Ôò·µ»Ø³ÌÐòÖ¸¶¨µÄĬÈÏÖµ¡£

¡¡¡¡¼òµ¥Æð¼û£¬¶ÔÓÚÎı¾´®£¬ÎÒ½«Óû§ÊäÈëµÄËùÓÐΣÏÕ×Ö·û£¨°üÀ¨HTML´úÂ룩£¬È«²¿×ªÒå¡£ÓÉÓÚ php º¯Êý addslashes()´æÔÚ©¶´£¬ÎÒÓà str_replace()Ö±½ÓÌæ»»¡£get_magic_quotes_gpc() º¯ÊýÊÇ php µÄº¯Êý£¬ÓÃÀ´ÅÐ¶Ï magic_quotes_gpc Ñ¡ÏîÊÇ·ñ´ò¿ª¡£

¡¡¡¡¸Õ²ÅµÚ¶þ½ÚµÄʾÀý£¬´úÂë¿ÉÒÔÕâÑùµ÷Óãº

<?
if ( isset($_POST["f_login"] ) )
{
  // Á¬½ÓÊý¾Ý¿â...
  // ...´úÂëÂÔ...
 
  // ¼ì²éÓû§ÊÇ·ñ´æÔÚ
  $t_strUid = PAPI_GetSafeParam("f_uid", 0, XH_PARAM_INT);
  $t_strPwd = PAPI_GetSafeParam("f_pwd", "", XH_PARAM_TXT);
  $t_strSQL = "SELECT * FROM tbl_users WHERE uid=$t_strUid AND password = '$t_strPwd' LIMIT 0,1";
  if ( $t_hRes = mysql_query($t_strSQL) )
  {
    // ³É¹¦²éѯ֮ºóµÄ´¦Àí. ÂÔ...
  } 
}
?>

ÕâÑùµÄ»°£¬¾ÍÒѾ­Ï൱°²È«ÁË¡£PAPI_GetSafeParamµÄ´úÂëÓе㳤£¬µ«ÎþÉüÕâµãЧÂÊ£¬¶Ô±£Ö¤°²È«£¬ÊÇÖµµÃµÄ¡£Ï£Íû´ó¼Ò¶àÅúÆÀÖ¸Õý¡££º£©