- class sqlsafe {
- private $getfilter = "'|(and|or)\b.+?(>|<|=|in|like)|\/\*.+ ?\*\/|<\s*script\b|\bEXEC\b|UNION.+?SELECT|UPDATE.+?SET|INSERT\s+INTO.+?VALUES|(SELECT|DELETE).+? FROM|(CREATE|ALTER|DROP|TRUNCATE)\s+(TABLE|DATABASE)";
- private $postfilter = "\b(and|or)\b.{1,6}?(=|>|< |\bin\b|\blike\b)|\/\*.+?\*\/|<\s*script\b|\bEXEC\b|UNION.+?SELECT|UPDATE.+?SET| INSERT\s+INTO.+?VALUES|(SELECT|DELETE).+?FROM|(CREATE|ALTER|DROP|TRUNCATE)\s+(TABLE|DATABASE)";
- private $cookiefilter = "\b(and|or )\b.{1,6}?(=|>|<|\bin\b|\blike\b)|\/\*.+?\*\/|<\s*script\b |\bEXEC\b|UNION.+?SELECT|UPDATE.+?SET|INSERT\s+INTO.+?VALUES|(SELECT|DELETE).+?FROM|(CREATE|ALTER|DROP|TRUNCATE)\s+( TABLE|DATABASE)";
- /**
- *コンストラクター
- */
- public function __construct() {
- foreach($_GET as $key=>$value){$this->stop Attack($key,$value, $this->getfilter);}
- foreach($_POST as $key=>$value){$this->stop Attack($key,$value,$this->postfilter);}
- foreach($ _COOKIE as $key=>$value){$this->stop Attack($key,$value,$this->cookiefilter);}
- }
- /**
- * パラメータのチェックとログの書き込み
- */
- public function stop Attack($ StrFiltKey, $StrFiltValue, $ArrFiltReq){
- if(is_array($StrFiltValue))$StrFiltValue = implode($StrFiltValue);
- if (preg_match("/".$ArrFiltReq."/is",$StrFiltValue) == 1 ){
- $this->writeslog($_SERVER["REMOTE_ADDR"]." ".strftime("%Y-%m-%d %H:%M:%S")." ".$_SERVER[" PHP_SELF"]." ".$_SERVER["REQUEST_METHOD"]." ".$StrFiltValue);
- showmsg('您提交的パラメータ非法,系统已记录您的本次操作!',' ',0,1);
- }
- }
- /**
- *SQL インジェクションログ
- */
- public function writeslog($log){
- $log_path = CACHE_PATH.'logs'.DIRECTORY_SEPARATOR.'sql_log.txt';
- $ts = fopen($log_path,"a+");
- fputs($ts,$log."rn");
- fclose($ts);
- }
- }
- ?>
|
