Home  >  Article  >  Backend Development  >  Web security to prevent sql injection is multi-filtering with PHP filtering function

Web security to prevent sql injection is multi-filtering with PHP filtering function

不言
不言Original
2018-05-04 10:15:323334browse

这篇文章主要介绍了关于web安全防sql注入就是多过滤附PHP过滤函数 ,有着一定的参考价值,现在分享给大家,有需要的朋友可以参考一下

SQL注入与跨站攻击过滤函数,支持SQL注入,跨站脚本攻击和跨站POST提交等常见安全过滤。

<?php    
     /**    
      * 全局安全过滤函数    
      * 支持SQL注入和跨站脚本攻击    
      */    
     function global_filter()    
     {    
     //APP,ACT 分别为控制器和控制器方法    
     $params = array(APP, ACT);    
     foreach($params as $k => $v)    
     {    
     if(!preg_match("/^[a-zA-Z0-9_-]+$/", $v))    
     {    
                 header_status_404();    
     }    
     }    
     
     $arrStr = array(&#39;%0d%0a&#39;, "&#39;", &#39;<&#39;, &#39;>&#39;, &#39;$&#39;, &#39;script&#39;, &#39;document&#39;, &#39;eval&#39;,&#39;atestu&#39;,&#39;select&#39;,&#39;insert?into&#39;,&#39;delete?from&#39;);    
     global_inject_input($_SERVER[&#39;HTTP_REFERER&#39;], $arrStr, true);    
     global_inject_input($_SERVER[&#39;HTTP_USER_AGENT&#39;], $arrStr, true);    
     global_inject_input($_SERVER[&#39;HTTP_ACCEPT_LANGUAGE&#39;], $arrStr, true);    
     global_inject_input($_GET, array_merge($arrStr, array(&#39;"&#39;)), true);    
     //global_inject_input($_COOKIE, array_merge($arrStr, array(&#39;"&#39;, &#39;&&#39;)), true);    
         //cookie会有对url的记录(pGClX_last_url)。去掉对&的判断    
         global_inject_input($_COOKIE, array_merge($arrStr, array(&#39;"&#39;)), true);    
     global_inject_input($_SERVER, array(&#39;%0d%0a&#39;), true);    
     
     //处理跨域POST提交问题    
     if($_SERVER[&#39;REQUEST_METHOD&#39;] == &#39;POST&#39;)    
     {    
     //处理客户端POST请求处理没有HTTP_REFERER参数问题    
     if(isset($_SERVER[&#39;HTTP_REFERER&#39;]))    
     {    
     $url = parse_url($_SERVER[&#39;HTTP_REFERER&#39;]);    
     $referer_host = !empty($url[&#39;port&#39;]) && $url[&#39;port&#39;] != &#39;80&#39; ? $url[&#39;host&#39;].&#39;:&#39;.$url[&#39;port&#39;] : $url[&#39;host&#39;];    
     if($referer_host != $_SERVER[&#39;HTTP_HOST&#39;])    
     {    
        header_status_404();    
     }    
     }    
     }    
     
     global_inject_input($_POST, array(&#39;%0d%0a&#39;));    
     global_inject_input($_REQUEST, array(&#39;%0d%0a&#39;));    
     }    
     
     /**    
      * 全局安全过滤函数    
      */    
     function global_inject_input($string, $inject_string, $replace = false)    
     {    
     if(!is_array($string))    
     {    
     foreach($inject_string as $value)    
     {    
     if(stripos(strtolower($string), $value) !== false)    
     {    
                     header_status_404();    
     }    
     }    
     if($replace)    
     {    
     return filter_var(safe_replace($string),FILTER_SANITIZE_STRING);    
     }    
     else    
     {    
        return $string;    
     }    
     }    
     
     foreach($string as $key => $val)    
     {    
     $string[$key] = global_inject_input($val, $inject_string, $replace);    
     }    
     
     return $string;    
     }    
     
     /**    
      * http 头信息    
     **/    
     function header_status_404($status = &#39;404&#39;)    
     {    
        if(substr(php_sapi_name(), 0, 3) == &#39;cgi&#39;)    
     {    
        header(&#39;Status: &#39;.$status, TRUE);    
        exit;    
     }    
        else    
        {    
     header($_SERVER[&#39;SERVER_PROTOCOL&#39;].&#39; &#39;.$status);    
     $error_404 = "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\r\n";    
     $error_404 .= "<html><head>\r\n";    
     $error_404 .= "<title>404 Not Found</title>\r\n";    
     $error_404 .= "</head><body>\r\n";    
     $error_404 .= "<h1>Object not found!</h1>\r\n";    
     $error_404 .= "<p>The requested URL was not found on this server!~</p>\r\n";    
     $error_404 .= "<h2>Error 404</h2></body></html>";    
     echo $error_404;    
     exit;    
     }    
     }    
     
     /**    
      * 安全过滤函数    
      *    
      * @param $string    
      * @return string    
      */    
     function safe_replace($string)    
     {    
     $string = str_replace(&#39;%20&#39;, &#39;&#39;, $string);    
     $string = str_replace(&#39;%27&#39;, &#39;&#39;, $string);    
     $string = str_replace(&#39;%2527&#39;, &#39;&#39;, $string);    
     $string = str_replace(&#39;*&#39;, &#39;&#39;, $string);    
     $string = str_replace(&#39;"&#39;, &#39;&quot;&#39;, $string);    
     $string = str_replace("&#39;", &#39;&#39;, $string);    
     $string = str_replace(&#39;"&#39;, &#39;&#39;, $string);    
     $string = str_replace(&#39;;&#39;, &#39;&#39;, $string);    
     $string = str_replace(&#39;<&#39;, &#39;&lt;&#39;, $string);    
     $string = str_replace(&#39;>&#39;, &#39;&gt;&#39;, $string);    
     $string = str_replace("{", &#39;&#39;, $string);    
     $string = str_replace(&#39;}&#39;, &#39;&#39;, $string);    
     return $string;    
     }

相关推荐:

浅析php过滤html字符串,防止SQL注入

详细介绍PHP过滤常见html标签的正则表达式

The above is the detailed content of Web security to prevent sql injection is multi-filtering with PHP filtering function. For more information, please follow other related articles on the PHP Chinese website!

Statement:
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn