过滤不安全字符串,如^等.防止sql注入的.
解决方案 »
- 我使用xdebug,生成的多个trace文件,哪个先生成,哪个后生成,怎么看
- 用什么方法 能阻挡 locus7s 攻击
- Warning: ob_start() [ref.outcontrol]: output handler 'ob_gzhandler' conflicts with 'zlib output comp
- 请问这样的页面如何用curl登录
- 在MYSQL里面我要写一个4000字左右的字段用什么字符串比较好 谢谢各位了
- 在空间服务商那买了个mysql的空间,怎么把本地的表放上去?
- 【招聘】土豆网高薪诚聘(上海)
- 很久没有用php了,问几个问题,关于时间比较等
- vBulletin 3.0.0 的快速回复在哪里?没有掉了么?
- php和javascript 的结合的一个问题!
- 数据库编码的疑问
- 请问下这段代码的意思 ?
首先使用 addslashes() 函数过滤接收的各种变量。
其次不管是数字类型还是字符类型都用 '' 比如:$id = addslashes($id);
$u_name = addslashes($u_name);sql语句:$sql = "select * from some_table where id = '$id'";or$sql = "select * from some_table where u_name like '$u_name'";这样构造出来的查询语句基本上被 ' ' 阻挡了。
if( !get_magic_quotes_gpc() )
{
if( is_array($_GET) )
{
while( list($k, $v) = each($_GET) )
{
if( is_array($_GET[$k]) )
{
while( list($k2, $v2) = each($_GET[$k]) )
{
$_GET[$k][$k2] = addslashes($v2);
}
reset($_GET[$k]);
}
else
{
$_GET[$k] = addslashes($v);
}
}
reset($_GET);
} if( is_array($_POST) )
{
while( list($k, $v) = each($_POST) )
{
if( is_array($_POST[$k]) )
{
while( list($k2, $v2) = each($_POST[$k]) )
{
$_POST[$k][$k2] = addslashes($v2);
}
reset($_POST[$k]);
}
else
{
$_POST[$k] = addslashes($v);
}
}
reset($_POST);
} if( is_array($_COOKIE) )
{
while( list($k, $v) = each($_COOKIE) )
{
if( is_array($_COOKIE[$k]) )
{
while( list($k2, $v2) = each($_COOKIE[$k]) )
{
$_COOKIE[$k][$k2] = addslashes($v2);
}
reset($_COOKIE[$k]);
}
else
{
$_COOKIE[$k] = addslashes($v);
}
}
reset($_COOKIE);
}
}
/**
* XSS Clean
*
* Sanitizes data so that Cross Site Scripting Hacks can be
* prevented. This function does a fair amount of work but
* it is extremely thorough, designed to prevent even the
* most obscure XSS attempts. Nothing is ever 100% foolproof,
* of course, but I haven't been able to get anything passed
* the filter.
*
* Note: This function should only be used to deal with data
* upon submission. It's not something that should
* be used for general runtime processing.
*
* This function was based in part on some code and ideas I
* got from Bitflux: http://blog.bitflux.ch/wiki/XSS_Prevention
*
* To help develop this script I used this great list of
* vulnerabilities along with a few other hacks I've
* harvested from examining vulnerabilities in other programs:
* http://ha.ckers.org/xss.html
*
* @access public
* @param string
* @return string
*/
function xss_clean($str, $charset = 'ISO-8859-1')
{
/*
* Remove Null Characters
*
* This prevents sandwiching null characters
* between ascii characters, like Java\0script.
*
*/
$str = preg_replace('/\0+/', '', $str);
$str = preg_replace('/(\\\\0)+/', '', $str); /*
* Validate standard character entities
*
* Add a semicolon if missing. We do this to enable
* the conversion of entities to ASCII later.
*
*/
$str = preg_replace('#(&\#*\w+)[\x00-\x20]+;#u',"\\1;",$str);
/*
* Validate UTF16 two byte encoding (x00)
*
* Just as above, adds a semicolon if missing.
*
*/
$str = preg_replace('#(&\#x*)([0-9A-F]+);*#iu',"\\1\\2;",$str); /*
* URL Decode
*
* Just in case stuff like this is submitted:
*
* <a href="http://%77%77%77%2E%67%6F%6F%67%6C%65%2E%63%6F%6D">Google</a>
*
* Note: Normally urldecode() would be easier but it removes plus signs
*
*/
$str = preg_replace("/%u0([a-z0-9]{3})/i", "&#x\\1;", $str);
$str = preg_replace("/%([a-z0-9]{2})/i", "&#x\\1;", $str);
/*
* Convert character entities to ASCII
*
* This permits our tests below to work reliably.
* We only convert entities that are within tags since
* these are the ones that will pose security problems.
*
*/
if (preg_match_all("/<(.+?)>/si", $str, $matches))
{
for ($i = 0; $i < count($matches['0']); $i++)
{
$str = str_replace($matches['1'][$i],
$this->_html_entity_decode($matches['1'][$i], $charset),
$str);
}
}
/*
* Not Allowed Under Any Conditions
*/
$bad = array(
'document.cookie' => '[removed]',
'document.write' => '[removed]',
'window.location' => '[removed]',
"javascript\s*:" => '[removed]',
"Redirect\s+302" => '[removed]',
'<!--' => '<!--',
'-->' => '-->'
);
foreach ($bad as $key => $val)
{
$str = preg_replace("#".$key."#i", $val, $str);
}
/*
* Convert all tabs to spaces
*
* This prevents strings like this: ja vascript
* Note: we deal with spaces between characters later.
*
*/
$str = preg_replace("#\t+#", " ", $str);
/*
* Makes PHP tags safe
*
* Note: XML tags are inadvertently replaced too:
*
* <?xml
*
* But it doesn't seem to pose a problem.
*
*/
$str = str_replace(array('<?php', '<?PHP', '<?', '?>'), array('<?php', '<?PHP', '<?', '?>'), $str);
/*
* Compact any exploded words
*
* This corrects words like: j a v a s c r i p t
* These words are compacted back to their correct state.
*
*/
$words = array('javascript', 'vbscript', 'script', 'applet', 'alert', 'document', 'write', 'cookie', 'window');
foreach ($words as $word)
{
$temp = '';
for ($i = 0; $i < strlen($word); $i++)
{
$temp .= substr($word, $i, 1)."\s*";
}
$temp = substr($temp, 0, -3);
$str = preg_replace('#'.$temp.'#s', $word, $str);
$str = preg_replace('#'.ucfirst($temp).'#s', ucfirst($word), $str);
}
/*
* Remove disallowed Javascript in links or img tags
*/
$str = preg_replace("#<a.+?href=.*?(alert\(|alert&\#40;|javascript\:|window\.|document\.|\.cookie|<script|<xss).*?\>.*?</a>#si", "", $str);
$str = preg_replace("#<img.+?src=.*?(alert\(|alert&\#40;|javascript\:|window\.|document\.|\.cookie|<script|<xss).*?\>#si", "", $str);
$str = preg_replace("#<(script|xss).*?\>#si", "", $str); /*
* Remove JavaScript Event Handlers
*
* Note: This code is a little blunt. It removes
* the event handler and anything up to the closing >,
* but it's unlikely to be a problem.
*
*/
$str = preg_replace('#(<[^>]+.*?)(onblur|onchange|onclick|onfocus|onload|onmouseover|onmouseup|onmousedown|onselect|onsubmit|onunload|onkeypress|onkeydown|onkeyup|onresize)[^>]*>#iU',"\\1>",$str);
/*
* Sanitize naughty HTML elements
*
* If a tag containing any of the words in the list
* below is found, the tag gets converted to entities.
*
* So this: <blink>
* Becomes: <blink>
*
*/
$str = preg_replace('#<(/*\s*)(alert|applet|basefont|base|behavior|bgsound|blink|body|embed|expression|form|frameset|frame|head|html|ilayer|iframe|input|layer|link|meta|object|plaintext|style|script|textarea|title|xml|xss)([^>]*)>#is', "<\\1\\2\\3>", $str);
/*
* Sanitize naughty scripting elements
*
* Similar to above, only instead of looking for
* tags it looks for PHP and JavaScript commands
* that are disallowed. Rather than removing the
* code, it simply converts the parenthesis to entities
* rendering the code un-executable.
*
* For example: eval('some code')
* Becomes: eval('some code')
*
*/
$str = preg_replace('#(alert|cmd|passthru|eval|exec|system|fopen|fsockopen|file|file_get_contents|readfile|unlink)(\s*)\((.*?)\)#si', "\\1\\2(\\3)", $str);
/*
* Final clean up
*
* This adds a bit of extra precaution in case
* something got through the above filters
*
*/
$bad = array(
'document.cookie' => '[removed]',
'document.write' => '[removed]',
'window.location' => '[removed]',
"javascript\s*:" => '[removed]',
"Redirect\s+302" => '[removed]',
'<!--' => '<!--',
'-->' => '-->'
);
foreach ($bad as $key => $val)
{
$str = preg_replace("#".$key."#i", $val, $str);
}
log_message('debug', "XSS Filtering completed");
return $str;
}
//出错后要跳转的url,不填则默认前一页
$StrGoUrl="http://www.996.com.cn/index.php";
//是否存在数组中的值
function FunStringExist($StrFiltrate,$ArrFiltrate){
foreach ($ArrFiltrate as $key=>$value){
if (eregi($value,$StrFiltrate)){
return true;
}
}
return false;
}//合并$_POST 和 $_GET
if(function_exists(array_merge)){
$ArrPostAndGet=array_merge($HTTP_POST_VARS,$HTTP_GET_VARS);
}else{
foreach($HTTP_POST_VARS as $key=>$value){
$ArrPostAndGet[]=$value;
}
foreach($HTTP_GET_VARS as $key=>$value){
$ArrPostAndGet[]=$value;
}
}//验证开始
foreach($ArrPostAndGet as $key=>$value){
if (FunStringExist($value,$ArrFiltrate)){
echo "<script language=\"javascript\">alert(\"非法字符\");</script>";
if (empty($StrGoUrl)){
echo "<script language=\"javascript\">history.go(-1);</script>";
}else{
echo "<script language=\"javascript\">window.location=\"".$StrGoUrl."\";</script>";
}
exit;
}
}