Home > Article > Backend Development > PHP prevents SQL injection example analysis and several common attack regular expressions_PHP tutorial
PHP prevents SQL injection example analysis and several common attack regular expressions_PHP tutorial
- WBOYOriginal
- 2016-07-13 10:41:271016browse
注入漏洞代码和分析
function customError($errno, $errstr, $errfile, $errline)
{
echo "Error number: [$errno],error on line $errline in $errfile
";
die();
}
set_error_handler("customError",E_ERROR);
$getfilter="'|(and|or)\b.+?(>|<|=|in|like)|\/\*.+?\*\/|<\s*script\b|\bEXEC\b|UNION.+?SELECT|UPDATE.+?SET|INSERT\s+INTO.+?VALUES|(SELECT|DELETE).+?FROM|(CREATE|ALTER|DROP|TRUNCATE)\s+(TABLE|DATABASE)";
$postfilter="\b(and|or)\b.{1,6}?(=|>|<|\bin\b|\blike\b)|\/\*.+?\*\/|<\s*script\b|\bEXEC\b|UNION.+?SELECT|UPDATE.+?SET|INSERT\s+INTO.+?VALUES|(SELECT|DELETE).+?FROM|(CREATE|ALTER|DROP|TRUNCATE)\s+(TABLE|DATABASE)";
$cookiefilter="\b(and|or)\b.{1,6}?(=|>|<|\bin\b|\blike\b)|\/\*.+?\*\/|<\s*script\b|\bEXEC\b|UNION.+?SELECT|UPDATE.+?SET|INSERT\s+INTO.+?VALUES|(SELECT|DELETE).+?FROM|(CREATE|ALTER|DROP|TRUNCATE)\s+(TABLE|DATABASE)";
function StopAttack($StrFiltKey,$StrFiltValue,$ArrFiltReq)
{
if(is_array($StrFiltValue))
{
$StrFiltValue=implode($StrFiltValue);
}
if (preg_match("/".$ArrFiltReq."/is",$StrFiltValue)==1&&!isset($_REQUEST['securityToken']))
{
slog("
操作IP: ".$_SERVER["REMOTE_ADDR"]."
操作时间: ".strftime("%Y-%m-%d %H:%M:%S")."
操作页面:".$_SERVER["PHP_SELF"]."
提交方式: ".$_SERVER["REQUEST_METHOD"]."
提交参数: ".$StrFiltKey."
提交数据: ".$StrFiltValue);
print "result notice:Illegal operation!";
exit();
}
}
foreach($_GET as $key=>$value)
{
StopAttack($key,$value,$getfilter);
}
foreach($_POST as $key=>$value)
{
StopAttack($key,$value,$postfilter);
}
foreach($_COOKIE as $key=>$value)
{
StopAttack($key,$value,$cookiefilter);
}
function slog($logs)
{
$toppath="log.htm";
$Ts=fopen($toppath,"a+");
fputs($Ts,$logs."rn");
fclose($Ts);
}
?>
sql
分析
如果使用这个函数的话,这个函数会绕开PHP的标准出错处理,所以说得自己定义报错处理程序(die())。
其次,如果代码执行前就发生了错误,那个时候用户自定义的程序还没有执行,所以就不会用到用户自己写的报错处理程序。
那么,PHP里有一套错误处理机制,可以使用set_error_handler()接管PHP错误处理,也可以使用trigger_error()函数主动抛出一个错误。
set_error_handler()函数设置用户自定义的错误处理函数。函数用于创建运行期间的用户自己的错误处理方法。它需要先创建一个错误处理函数,然后设置错误级别。
关于的用法:
function customError($errno, $errstr, $errfile, $errline)
{
echo "错误代码: [${errno}] ${errstr}\r\n";
echo " 错误所在的代码行: {$errline} 文件{$errfile}\r\n";
echo " PHP版本 ",PHP_VERSION, "(" , PHP_OS, ")\r\n";
// die();
}
set_error_handler("customError",E_ALL| E_STRICT);
在这个函数里,可以做任何要做的事情,包括对错误的详情进行格式化输出,记入log文件。
function slog($logs)
{
$toppath="log.htm";
$Ts=fopen($toppath,"a+");
fputs($Ts,$logs."rn");
fclose($Ts);
}
The custom error handling function must have these four input variables $errno, $errstr, $errfile, and $errline.
errno is a set of constants, representing the level of the error. There is also a set of integers corresponding to it, but it is generally represented by its string value, which has better semantics. For example, E_WARNING has a binary mask of 4, indicating warning information.
The next step is to pass this function as a callback parameter to set_error_handler. This will take over PHP's native error handling function. It should be noted that this hosting method cannot host all kinds of errors, such as E_ERROR, E_PARSE, E_CORE_ERROR, E_CORE_WARNING, E_COMPILE_ERROR, E_COMPILE_WARNING, and parts of E_STRICT. These errors are displayed in their original form, or not displayed at all.
The StopAttack() function is to write the passed POST, GET, and COOKIE into the log file using regular expressions and calling slog().
$Exec_Commond = "( \s|\S)*(exec(\s| \+)+(s|x)p\w+)(\s|\S)*";
$Simple_XSS = "( \s|\S)*((%3C)|<)((% 2F)|/)*[a-z0-9%]+((%3E)|>)(\s|\S)*";
$Eval_XSS = "( \s|\S)*( (%65)|e)(\s)*((%76)|v)(\s)*((%61)|a)(\s)*((%6C)|l)(\s| \S)*";
$Image_XSS = "( \s|\S)*((%3C)|<)((%69)|i|I|(%49))((%6D) |m|M|(%4D))((%67)|g|G|(%47))[^\n]+((%3E)|>)(\s|\S)*" ;
$Script_XSS = "( \s|\S)*((%73)|s)(\s)*((%63)|c)(\s)*((%72)|r)( \s)*((%69)|i)(\s)*((%70)|p)(\s)*((%74)|t)(\s|\S)*";
$SQL_Injection = "( \s|\S)*((%27)|(')|(%3D)|(=)|(/)|(%2F)|(")|((%22) |(-|%2D){2})|(%23)|(%3B)|(;))+(\s|\S)*";
When HP encounters an error, it will give the location, line number and reason of the error script. Many people say that this is not a big deal. But the consequences of leaking the actual path are unimaginable. For some intruders, this information is very important. In fact, many servers now have this problem. Some network administrators simply set display_errors in the PHP configuration file to Off to solve the problem, but I think this method is too negative. Sometimes, we really need PHP to return error information for debugging. And when something goes wrong, you may also need to give the user an explanation or even navigate to another page. But with set_error_handler(), these contradictions can be resolved.