Home >Backend Development >PHP Tutorial >PHP anti-SQL injection class can filter sensitive parameters_PHP tutorial
This article summarizes almost all possible PHP anti-SQL injection codes. Please refer to them for reference.
Determine the executability of XP_CMDSHELL
Discover WEB virtual directory
Upload ASP, php, jsp Trojans;
Get administrator rights;
//PHP whole site anti-injection program, you need to require_once this file in the public file
//Judge magic_quotes_gpc status
if (@get_magic_quotes_gpc ()) {
$_GET = sec ($_GET);
$_POST = sec ( $_POST );
$_COOKIE = sec ( $_COOKIE );
$_FILES = sec ( $_FILES );
}
$_SERVER = sec ( $_SERVER );
function sec(&$array) {
//If it is an array, traverse the array and call recursively
If (is_array ( $array )) {
foreach ( $array as $k => $v ) {
$array [$k] = sec ($v);
} else if (is_string ( $array )) {
//Use the addslashes function to process
$array = addslashes ( $array );
} else if (is_numeric ( $array )) {
$array = intval ($array);
}
Return $array;
}
1. Judgment of integer parameters
When the input parameter YY is an integer, usually the original SQL statement in abc.asp is roughly as follows:
select * from table name where field = YY, so you can use the following steps to test whether SQL injection exists.
①HTTP://xxx.xxx.xxx/abc.asp?p=YY’ (with a single quote attached), at this time the SQL statement in abc.ASP becomes
select * from table name where field=YY’, abc.asp runs abnormally;
②HTTP://xxx.xxx.xxx/abc.asp?p=YY and 1=1, abc.asp runs normally and is the same as HTTP://xxx.xxx.xxx/abc.asp?p=YY The running results are the same;
③HTTP://xxx.xxx.xxx/abc.asp?p=YY and 1=2, abc.asp is running abnormally;
If the above three steps are fully satisfied, there must be a SQL injection vulnerability in abc.asp.
function num_check($id) {
If (! $id) {
die ( 'Parameter cannot be empty!' );
} //Judge whether it is empty
else if (inject_check ( $id )) {
die ('illegal parameter');
} //Inject judgment
else if (! is_numetic ( $id )) {
die ('illegal parameter');
}
//Number Judgment
$id = intval ($id);
//Integerization
Return $id;
}
//Character filter function
function str_check($str) {
If (inject_check ( $str )) {
die ('illegal parameter');
}
//Inject judgment
$str = htmlspecialchars ($str);
//Convert html
Return $str;
}
function search_check($str) {
$str = str_replace ( "_", "_", $str );
//Filter out "_"
$str = str_replace ( "%", "%", $str );
//Filter out "%"
$str = htmlspecialchars ($str);
//Convert html
Return $str;
}
//Form filter function
function post_check($str, $min, $max) {
If (isset ( $min ) && strlen ( $str ) < $min) {
die ('minimum $min bytes');
} else if (isset ( $max ) && strlen ( $str ) > $max) {
die ('Up to $max bytes');
}
Return stripslashes_array ( $str );
}
When the input parameter YY is a string, usually the original SQL statement in abc.php is roughly as follows:
select * from table name where field='YY', so you can use the following steps to test whether SQL injection exists.
①HTTP://xxx.xxx.xxx/abc.php?p=YY’ (with a single quote attached), at this time the SQL statement in abc.ASP becomes
select * from table name where field=YY’, abc.asp runs abnormally;
②HTTP://xxx.xxx.xxx/abc.php?p=YY&;nb ... 39;1'='1', abc.php runs normally and is consistent with HTTP://xxx.xxx. xxx/abc.asp?p=YY results are the same;
③HTTP://xxx.xxx.xxx/abc.php?p=YY&;nb ... 39;1'='2', abc.php is running abnormally;
If the above three steps are fully satisfied, there must be a SQL injection vulnerability in abc.asp.
//Anti-injection functionfunction inject_check($sql_str) {
Return eregi ( 'select|inert|update|delete|'|/*|*|../|./|UNION|into|load_file|outfile', $sql_str );// Filter to prevent injection
}
function stripslashes_array(&$array) {
If (is_array ( $array )) {
foreach ( $array as $k => $v ) {
$array [$k] = stripslashes_array ( $v );
} else if (is_string ( $array )) {
$array = stripslashes ( $array );
}
Return $array;
}
//php batch filter posts, get sensitive data
if (get_magic_quotes_gpc()) {
$_GET = stripslashes_array($_GET);
$_POST = stripslashes_array($_POST);
}
function stripslashes_array(&$array) {
while(list($key,$var) = each($array)) {
if ($key != 'argc' && $key != 'argv' && (strtoupper($key) != $key || ''.intval($key) == "$key")) {
if (is_string($var)) {
$array[$key] = stripslashes($var);
}
if (is_array($var)) {
$array[$key] = stripslashes_array($var);
}
}
}
return $array;
}
//过滤
function htmlencode($str){
if(empty($str)) return;
if($str=="") return $str;
$str=trim($str);
$str=str_replace("&","&",$str);
$str=str_replace(">",">",$str);
$str=str_replace("<","<",$str);
$str=str_replace(chr(32)," ",$str);
$str=str_replace(chr(9)," ",$str);
$str=str_replace(chr(9)," ",$str);
$str=str_replace(chr(34),"&",$str);
$str=str_replace(chr(39),"'",$str);
$str=str_replace(chr(13),"
",$str);
$str=str_replace("'","''",$str);
$str=str_replace("select","select",$str);
$str=str_replace("SCRIPT","SCRIPT",$str);
$str=str_replace("script","script",$str);
$str=str_replace("join","join",$str);
$str=str_replace("union","union",$str);
$str=str_replace("where","where",$str);
$str=str_replace("insert","insert",$str);
$str=str_replace("delete","delete",$str);
$str=str_replace("update","update",$str);
$str=str_replace("like","like",$str);
$str=str_replace("drop","drop",$str);
$str=str_replace("create","create",$str);
$str=str_replace("modify","modify",$str);
$str=str_replace("rename","rename",$str);
$str=str_replace("alter","alter",$str);
$str=str_replace("cast","cas",$str);
return $str;
}
//解码
function htmldecode($str){
if(empty($str)) return;
if($str=="") return $str;
$str=str_replace("select","select",$str);
$str=str_replace("join","join",$str);
$str=str_replace("union","union",$str);
$str=str_replace("where","where",$str);
$str=str_replace("insert","insert",$str);
$str=str_replace("delete","delete",$str);
$str=str_replace("update","update",$str);
$str=str_replace("like","like",$str);
$str=str_replace("drop","drop",$str);
$str=str_replace("create","create",$str);
$str=str_replace("modify","modify",$str);
$str=str_replace("rename","rename",$str);
$str=str_replace("alter","alter",$str);
$str=str_replace("cas","cast",$str);
$str=str_replace("&","&",$str);
$str=str_replace(">",">",$str);
$str=str_replace("<","<",$str);
$str=str_replace(" ",chr(32),$str);
$str=str_replace(" ",chr(9),$str);
$str=str_replace(" ",chr(9),$str);
$str=str_replace("&",chr(34),$str);
$str=str_replace("'",chr(39),$str);
$str=str_replace("
",chr(13),$str);
$str=str_replace("''","'",$str);
return $str;
}
// Function: string_filter($string, $match_type=1)
// Function: Filter illegal content
// Parameters:
// $string the string to be checked
// $match_type match type, 1 is exact match, 2 is fuzzy match, the default is 1
//
//Return: True if there is illegal content, False if there is no illegal content
// Others: The illegal keyword list is saved in the txt file, divided into two lists: ordinary illegal keywords and serious illegal keywords
// Author: heiyeluren
// Time: 2006-1-18
//
//================================================ ======================
function lib_lawless_string_filter($string, $match_type=1)
{
//It is illegal to return an empty string directly
$string = trim($string);
if (empty($string))
{
return false;
}
//Get important keyword list and common keyword list
$common_file = "common_list.txt"; //Common filter keyword list
$signify_file = "signify_list.txt"; //Important filter keyword list
//If any list file does not exist, return false directly, otherwise read the two file lists into two arrays
if (!file_exists($common_file) || !file_exists($signify_file))
{
return false;
}
$common_list = file($common_file);
$signify_list = file($signify_file);
//Exact match
if ($match_type == 1)
{
$is_lawless = exact_match($string, $common_list);
}
//Fuzzy matching
if ($match_type == 2)
{
$is_lawless = blur_match($string, $common_list, $signify_list);
}
//Determine whether there is data in the search result array. If there is, it proves to be illegal
if (is_array($is_lawless) && !empty($is_lawless))
{
return true;
}
else
{
return false;
}
}
//------------------------
// Exact matching, serving filtering
//------------------------
function exact_match($string, $common_list)
{
$string = trim($string);
$string = lib_replace_end_tag($string);
//Retrieve the common filter keyword list
foreach($common_list as $block)
{
$block = trim($block);
if (preg_match("/^$string$/i", $block))
{
$blist[] = $block;
}
}
//Determine whether there is filtered content in the array
if (!empty($blist))
{
return array_unique($blist);
}
return false;
}
//---------------------
// Fuzzy matching, serving filtering
//---------------------
function blur_match($string, $common_list, $signify_list)
{
$string = trim($string);
$s_len = strlen($string);
$string = lib_replace_end_tag($string);
//Retrieve the common filter keyword list
foreach($common_list as $block)
{
$block = trim($block);
if (preg_match("/^$string$/i", $block))
{
$blist[] = $block;
}
}
//Retrieve severe filter keyword list
foreach($signify_list as $block)
{
$block = trim($block);
if ($s_len>=strlen($block) && preg_match("/$block/i", $string))
{
$blist[] = $block;
}
}
//Determine whether there is filtered content in the array
if (!empty($blist))
{
return array_unique($blist);
}
return false;
}
//--------------------------
// Replace HTML尾 tagging, for filter service
//-------------------------
function lib_replace_end_tag($str)
{
if (empty($str)) return false;
$str = htmlspecialchars($str);
$str = str_replace( '/', "", $str);
$str = str_replace("", "", $str);
$str = str_replace(">", "", $str);
$str = str_replace("<", "", $str);
$str = str_replace("<SCRIPT>", "", $str);<br>
$str = str_replace("</SCRIPT>", "", $str);
$str = str_replace("<script>", "", $str);<br>
$str = str_replace("</script>", "", $str);
$str=str_replace("select","select",$str);
$str=str_replace("join","join",$str);
$str=str_replace("union","union",$str);
$str=str_replace("where","where",$str);
$str=str_replace("insert","insert",$str);
$str=str_replace("delete","delete",$str);
$str=str_replace("update","update",$str);
$str=str_replace("like","like",$str);
$str=str_replace("drop","drop",$str);
$str=str_replace("create","create",$str);
$str=str_replace("modify","modify",$str);
$str=str_replace("rename","rename",$str);
$str=str_replace("alter","alter",$str);
$str=str_replace("cas","cast",$str);
$str=str_replace("&","&",$str);
$str=str_replace(">",">",$str);
$str=str_replace("<","<",$str);
$str=str_replace(" ",chr(32),$str);
$str=str_replace(" ",chr(9),$str);
$str=str_replace(" ",chr(9),$str);
$str=str_replace("&",chr(34),$str);
$str=str_replace("'",chr(39),$str);
$str=str_replace("
",chr(13),$str);
$str=str_replace("''","'",$str);
$str=str_replace("css","'",$str);
$str=str_replace("CSS","'",$str);
return $str;
//HTML tag, can be used as an extension filter
/*
$tags = array("/html", "/head", "/body", "/div", "/span", "/DOCTYPE", "/title", "/link", "/meta", "/style", "/p", "/h1," "/h2," "/h3," "/h4," "/h5," "/h6," "/strong," "/em", "/abbr", "/acronym", "/address", "/bdo", "/blockquote", "/cite", "/q", "/code", "/ins", "/del", "/dfn", "/kbd", "/pre", "/samp", "/var", "/br", "/a", "/img", "/area", "/map", "/object", "/param", "/ul", "/ol", "/li", "/dl", "/dt", "/dd", "/table", "/tr", "/td", "/th", "/tbody", "/thead", "/tfoot", "/col", "/colgroup", "/caption", "/form", "/input", "/textarea", "/select", "/option", "/optgroup", "/button", "/label", "/fieldset", "/legend", "/script", "/noscript", "/b", "/i", "/tt", "/sub", "/sup", "/big", "/small", "/hr" );
*/
}
Quotation is directly like this:
$xxx = htmlspecialchars($_POST['xxx']);
Or
$xxx = htmlspecialchars($_GET['xxx']);