Home  >  Article  >  php教程  >  从360提供的PHP防SQL注入代码改成的一个类

从360提供的PHP防SQL注入代码改成的一个类

PHP中文网
PHP中文网Original
2016-05-25 17:09:14889browse

从360提供的PHP防SQL注入代码改成的一个类

前些天做的一个网站在百度搜索时竟然提示“安全联盟提醒您:该网站存在安全风险,请谨慎访问!”,于是就开始拼命的找解决方案,最终从SQL注入和HTTP跨站两个方面解决了问题,在这里记录一下。

<?php
class sqlsafe {
	private $getfilter = "&#39;|(and|or)\\b.+?(>|<|=|in|like)|\\/\\*.+?\\*\\/|<\\s*script\\b|\\bEXEC\\b|UNION.+?SELECT|UPDATE.+?SET|INSERT\\s+INTO.+?VALUES|(SELECT|DELETE).+?FROM|(CREATE|ALTER|DROP|TRUNCATE)\\s+(TABLE|DATABASE)";
	private $postfilter = "\\b(and|or)\\b.{1,6}?(=|>|<|\\bin\\b|\\blike\\b)|\\/\\*.+?\\*\\/|<\\s*script\\b|\\bEXEC\\b|UNION.+?SELECT|UPDATE.+?SET|INSERT\\s+INTO.+?VALUES|(SELECT|DELETE).+?FROM|(CREATE|ALTER|DROP|TRUNCATE)\\s+(TABLE|DATABASE)";
	private $cookiefilter = "\\b(and|or)\\b.{1,6}?(=|>|<|\\bin\\b|\\blike\\b)|\\/\\*.+?\\*\\/|<\\s*script\\b|\\bEXEC\\b|UNION.+?SELECT|UPDATE.+?SET|INSERT\\s+INTO.+?VALUES|(SELECT|DELETE).+?FROM|(CREATE|ALTER|DROP|TRUNCATE)\\s+(TABLE|DATABASE)";
	/**
	 * 构造函数
	 */
	public function __construct() {
		foreach($_GET as $key=>$value){$this->stopattack($key,$value,$this->getfilter);}
		foreach($_POST as $key=>$value){$this->stopattack($key,$value,$this->postfilter);}
		foreach($_COOKIE as $key=>$value){$this->stopattack($key,$value,$this->cookiefilter);}
	}
	/**
	 * 参数检查并写日志
	 */
	public function stopattack($StrFiltKey, $StrFiltValue, $ArrFiltReq){
		if(is_array($StrFiltValue))$StrFiltValue = implode($StrFiltValue);
		if (preg_match("/".$ArrFiltReq."/is",$StrFiltValue) == 1){   
			$this->writeslog($_SERVER["REMOTE_ADDR"]."    ".strftime("%Y-%m-%d %H:%M:%S")."    ".$_SERVER["PHP_SELF"]."    ".$_SERVER["REQUEST_METHOD"]."    ".$StrFiltKey."    ".$StrFiltValue);
			showmsg(&#39;您提交的参数非法,系统已记录您的本次操作!&#39;,&#39;&#39;,0,1);
		}
	}
	/**
	 * SQL注入日志
	 */
	public function writeslog($log){
		$log_path = CACHE_PATH.&#39;logs&#39;.DIRECTORY_SEPARATOR.&#39;sql_log.txt&#39;;
		$ts = fopen($log_path,"a+");
		fputs($ts,$log."\r\n");
		fclose($ts);
	}
}
?>

                   

 以上就是从360提供的PHP防SQL注入代码改成的一个类的内容,更多相关内容请关注PHP中文网(www.php.cn)!

Statement:
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn
Previous article:PHP的AES加密类Next article:PostgreSQL DB 简单操作类