search
Homephp教程php手册PHP 防注入安全实现程序代码

PHP 防注入安全实现程序代码

WBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWB
WBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWB
Jun 13, 2016 am 10:12 AM
phpsqlcodebutaboutSafetyaccomplishusinjectionofprogramstill

以前讲述的很多关于sql防注入的代码,但是还是得从我们的服务器脚本开始了,下面就来讲述一个下php中防注入的一些常见方法大家可参考。

最常用见的可能就是

首先将magic_quotes_gpc设置为On,display_errors设置为Off,如果id型,我们利用intval()将其转换成整数类型,如代码:
$id=intval($id);

好了下面我来介绍php提交数据过滤的基本原则 

1)提交变量进数据库时,我们必须使用addslashes()进行过滤,像我们的注入问题,一个addslashes()也就搞定了。其实在涉及到变量取值时,intval()函数对字符串的过滤也是个不错的选择。

2)在php.ini中开启magic_quotes_gpc和magic_quotes_runtime。magic_quotes_gpc可以把get,post,cookie里的引号变为斜杠。magic_quotes_runtime对于进出数据库的数据可以起到格式话的作用。其实,早在以前注入很疯狂时,这个参数就很流行了。

3)在使用系统函数时,必须使用escapeshellarg(),escapeshellcmd()参数去过滤,这样你也就可以放心的使用系统函数。

4)对于跨站,strip_tags(),htmlspecialchars()两个参数都不错,对于用户提交的的带有html和php的标记都将进行转换。比如尖括号"

 代码如下 复制代码
$new = htmlspecialchars("Test", ENT_QUOTES);
strip_tags($text,);

5)对于相关函数的过滤,就像先前的include(),unlink,fopen()等等,只要你把你所要执行操作的变量指定好或者对相关字符过滤严密,我想这样也就无懈可击了。

2、PHP简单的数据过滤

1)入库:  trim($str),addslashes($str)
2)出库:  stripslashes($str)
3)显示:  htmlspecialchars(nl2br($str))

分享一个实例

具体的代码:

 代码如下 复制代码

   //security.php
/**
 * @author zhengwei
 * @copyright 2007
 */

/*
函数名称:inject_check()
函数作用:检测提交的值是不是含有SQL注射的字符,防止注射,保护服务器安全
参  数:$sql_str: 提交的变量
返 回 值:返回检测结果,ture or false
函数作者:heiyeluren
*/
function inject_check($sql_str) { 
  return eregi('select|insert|update|delete|'|/*|*|../|./|union|into|load_file|outfile', $sql_str);    // 进行过滤 

 
/*
函数名称:verify_id()
函数作用:校验提交的ID类值是否合法
参  数:$id: 提交的ID值
返 回 值:返回处理后的ID
函数作者:heiyeluren
*/
function verify_id($id=null) { 
  if (!$id) { exit('没有提交参数!'); }    // 是否为空判断 
  elseif (inject_check($id)) { exit('提交的参数非法!'); }    // 注射判断 
  elseif (!is_numeric($id)) { exit('提交的参数非法!'); }    // 数字判断 
  $id = intval($id);    // 整型化 
 
  return  $id; 

 
/*
函数名称:str_check()
函数作用:对提交的字符串进行过滤
参  数:$var: 要处理的字符串
返 回 值:返回过滤后的字符串
函数作者:heiyeluren
*/
function str_check( $str ) { 
  if (!get_magic_quotes_gpc()) {    // 判断magic_quotes_gpc是否打开 
    $str = addslashes($str);    // 进行过滤 
  } 
  $str = str_replace("_", "_", $str);    // 把 '_'过滤掉 
  $str = str_replace("%", "%", $str);    // 把 '%'过滤掉 
 
  return $str;  

 
/*
函数名称:post_check()
函数作用:对提交的编辑内容进行处理
参  数:$post: 要提交的内容
返 回 值:$post: 返回过滤后的内容
函数作者:heiyeluren
*/
function post_check($post) { 
  if (!get_magic_quotes_gpc()) {    // 判断magic_quotes_gpc是否为打开 
    $post = addslashes($post);    // 进行magic_quotes_gpc没有打开的情况对提交数据的过滤 
  } 
  $post = str_replace("_", "_", $post);    // 把 '_'过滤掉 
  $post = str_replace("%", "%", $post);    // 把 '%'过滤掉 
  $post = nl2br($post);    // 回车转换 
  $post = htmlspecialchars($post);    // html标记转换 
 
  return $post; 


foreach ($_POST as $post_key=>$post_var)
{
 if (is_numeric($post_var)) {
  $post[strtolower($post_key)] = get_int($post_var);
 } else {
  $post[strtolower($post_key)] = get_str($post_var);
 }
}

/* 过滤函数 */
//整型过滤函数
function get_int($number)
{
    return intval($number);
}
//字符串型过滤函数
function get_str($string)
{
    if (!get_magic_quotes_gpc()) {
 return addslashes($string);
    }
    return $string;
}

?>

在有些cms中我会看到

foreach($HTTP_POST_VARS as $key=>$value){
$ArrPostAndGet[]=$value;
}
foreach($HTTP_GET_VARS as $key=>$value){
$ArrPostAndGet[]=$value;
}


 

这个的代码然后在所有页面都加载这个函数,这样过滤个人发现好像上传文件时会有问题哦。

Statement
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn

Hot AI Tools

Undresser.AI Undress

Undresser.AI Undress

AI-powered app for creating realistic nude photos

AI Clothes Remover

AI Clothes Remover

Online AI tool for removing clothes from photos.

Undress AI Tool

Undress AI Tool

Undress images for free

Clothoff.io

Clothoff.io

AI clothes remover

AI Hentai Generator

AI Hentai Generator

Generate AI Hentai for free.

Show More

Hot Article

R.E.P.O. Energy Crystals Explained and What They Do (Yellow Crystal)
3 weeks agoBy尊渡假赌尊渡假赌尊渡假赌
R.E.P.O. Best Graphic Settings
3 weeks agoBy尊渡假赌尊渡假赌尊渡假赌
Assassin's Creed Shadows: Seashell Riddle Solution
2 weeks agoByDDD
R.E.P.O. How to Fix Audio if You Can't Hear Anyone
3 weeks agoBy尊渡假赌尊渡假赌尊渡假赌
WWE 2K25: How To Unlock Everything In MyRise
4 weeks agoBy尊渡假赌尊渡假赌尊渡假赌
Show More

Hot Tools

DVWA

DVWA

Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application that is very vulnerable. Its main goals are to be an aid for security professionals to test their skills and tools in a legal environment, to help web developers better understand the process of securing web applications, and to help teachers/students teach/learn in a classroom environment Web application security. The goal of DVWA is to practice some of the most common web vulnerabilities through a simple and straightforward interface, with varying degrees of difficulty. Please note that this software

VSCode Windows 64-bit Download

VSCode Windows 64-bit Download

A free and powerful IDE editor launched by Microsoft

MinGW - Minimalist GNU for Windows

MinGW - Minimalist GNU for Windows

This project is in the process of being migrated to osdn.net/projects/mingw, you can continue to follow us there. MinGW: A native Windows port of the GNU Compiler Collection (GCC), freely distributable import libraries and header files for building native Windows applications; includes extensions to the MSVC runtime to support C99 functionality. All MinGW software can run on 64-bit Windows platforms.

ZendStudio 13.5.1 Mac

ZendStudio 13.5.1 Mac

Powerful PHP integrated development environment

WebStorm Mac version

WebStorm Mac version

Useful JavaScript development tools

Show More

Hot Topics

Where is the login entrance for gmail email?
7488
15
CakePHP Tutorial
1377
52
What is the format of the account name of steam
77
11
win11 activation key permanent
52
19
nyt connections hints and answers
19
40
Show More