Home > Article > Backend Development > Web security to prevent sql injection is multi-filtering with PHP filtering function
这篇文章主要介绍了关于web安全防sql注入就是多过滤附PHP过滤函数 ,有着一定的参考价值,现在分享给大家,有需要的朋友可以参考一下
SQL注入与跨站攻击过滤函数,支持SQL注入,跨站脚本攻击和跨站POST提交等常见安全过滤。
<?php /** * 全局安全过滤函数 * 支持SQL注入和跨站脚本攻击 */ function global_filter() { //APP,ACT 分别为控制器和控制器方法 $params = array(APP, ACT); foreach($params as $k => $v) { if(!preg_match("/^[a-zA-Z0-9_-]+$/", $v)) { header_status_404(); } } $arrStr = array('%0d%0a', "'", '<', '>', '$', 'script', 'document', 'eval','atestu','select','insert?into','delete?from'); global_inject_input($_SERVER['HTTP_REFERER'], $arrStr, true); global_inject_input($_SERVER['HTTP_USER_AGENT'], $arrStr, true); global_inject_input($_SERVER['HTTP_ACCEPT_LANGUAGE'], $arrStr, true); global_inject_input($_GET, array_merge($arrStr, array('"')), true); //global_inject_input($_COOKIE, array_merge($arrStr, array('"', '&')), true); //cookie会有对url的记录(pGClX_last_url)。去掉对&的判断 global_inject_input($_COOKIE, array_merge($arrStr, array('"')), true); global_inject_input($_SERVER, array('%0d%0a'), true); //处理跨域POST提交问题 if($_SERVER['REQUEST_METHOD'] == 'POST') { //处理客户端POST请求处理没有HTTP_REFERER参数问题 if(isset($_SERVER['HTTP_REFERER'])) { $url = parse_url($_SERVER['HTTP_REFERER']); $referer_host = !empty($url['port']) && $url['port'] != '80' ? $url['host'].':'.$url['port'] : $url['host']; if($referer_host != $_SERVER['HTTP_HOST']) { header_status_404(); } } } global_inject_input($_POST, array('%0d%0a')); global_inject_input($_REQUEST, array('%0d%0a')); } /** * 全局安全过滤函数 */ function global_inject_input($string, $inject_string, $replace = false) { if(!is_array($string)) { foreach($inject_string as $value) { if(stripos(strtolower($string), $value) !== false) { header_status_404(); } } if($replace) { return filter_var(safe_replace($string),FILTER_SANITIZE_STRING); } else { return $string; } } foreach($string as $key => $val) { $string[$key] = global_inject_input($val, $inject_string, $replace); } return $string; } /** * http 头信息 **/ function header_status_404($status = '404') { if(substr(php_sapi_name(), 0, 3) == 'cgi') { header('Status: '.$status, TRUE); exit; } else { header($_SERVER['SERVER_PROTOCOL'].' '.$status); $error_404 = "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\r\n"; $error_404 .= "<html><head>\r\n"; $error_404 .= "<title>404 Not Found</title>\r\n"; $error_404 .= "</head><body>\r\n"; $error_404 .= "<h1>Object not found!</h1>\r\n"; $error_404 .= "<p>The requested URL was not found on this server!~</p>\r\n"; $error_404 .= "<h2>Error 404</h2></body></html>"; echo $error_404; exit; } } /** * 安全过滤函数 * * @param $string * @return string */ function safe_replace($string) { $string = str_replace('%20', '', $string); $string = str_replace('%27', '', $string); $string = str_replace('%2527', '', $string); $string = str_replace('*', '', $string); $string = str_replace('"', '"', $string); $string = str_replace("'", '', $string); $string = str_replace('"', '', $string); $string = str_replace(';', '', $string); $string = str_replace('<', '<', $string); $string = str_replace('>', '>', $string); $string = str_replace("{", '', $string); $string = str_replace('}', '', $string); return $string; }
相关推荐:
The above is the detailed content of Web security to prevent sql injection is multi-filtering with PHP filtering function. For more information, please follow other related articles on the PHP Chinese website!