php防注入新的和一些过滤代码
最近由于自身需求,整理了一份php防注入的代码,分享出来,欢迎指正。
1.不希望执行包括system()等在那的能够执行命令的php函数,或者能够查看php信息的 phpinfo()等函数,那么我们就可以禁止它们: disable_functions = system,passthru,exec,shell_exec,popen,phpinfo 2. 打开magic_quotes_gpc来防止SQL注入(php5.4之后已移除该函数) php.ini中有一个设置: magic_quotes_gpc = Off 这个默认是关闭的,如果它打开后将自动把用户提交对sql的查询进行转换, 比如把 ' 转为 \'等,这对防止sql注射有重大作用。所以我们推荐设置为: magic_quotes_gpc = On 3.一般服务器建议禁止错误提示(php.ini):display_errors = Off 4.建议在关闭display_errors后能够把错误信息记录下来,便于查找服务器运行的原因: log_errors = On 同时也要设置错误日志存放的目录,建议根apache的日志存在一起: error_log = usr/local/apache2/logs/php_error.log
在网站的入口文件添加一下代码(一般是index.php,这个看自身需求绝对放在那里),我将这段代码放在我的项目入口文件里面:
if (ini_get('magic_quotes_gpc')) { function stripslashesRecursive(array $array) { foreach ($array as $k => $v) { if (is_string($v)) { $array[$k] = stripslashes(trim($v)); } else if (is_array($v)) { $array[$k] = stripslashesRecursive($v); } } return $array; } if($_GET)$_GET = stripslashesRecursive($_GET); if($_POST)$_POST = stripslashesRecursive($_POST); } function array_safe_replace(array $array) { foreach ($array as $k => $v) { if (is_string($v)) { $string = $v; $string = str_replace('%20','',$string); $string = str_replace('%27','',$string); $string = str_replace('%2527','',$string); $string = str_replace('*','',$string); $string = str_replace('"','"',$string); $string = str_replace("'",'',$string); $string = str_replace('"','',$string); $string = str_replace(';','',$string); $string = str_replace('<','<',$string); $string = str_replace('>','>',$string); $string = str_replace("{",'',$string); $string = str_replace('}','',$string); $string = str_replace('\\','',$string); $string = str_replace('script','',$string); $string = str_replace('insert','',$string); $string = str_replace('update','',$string); $string = str_replace('delete','',$string); $string = str_replace('select','',$string); $string = str_replace('drop','',$string); $string = str_replace('eval','',$string); //防sql注入 $string=preg_replace("/insert/i", "",$string); $string=preg_replace("/update/i", "",$string); $string=preg_replace("/delete/i", "",$string); $string=preg_replace("/select/i", "",$string); $string=preg_replace("/drop/i", "",$string); $string=preg_replace("/load_file/i", "",$string); $string=preg_replace("/outfile/i", "",$string); $string=preg_replace("/into/i", "",$string); $string=preg_replace("/exec/i", "",$string); $string=preg_replace("/caipiao_/i", "",$string); $string=preg_replace("/union/i", "",$string); $string=preg_replace("/(add|change)\s+column/i", "",$string); $string=preg_replace("/(select|update|delete)\s+\S*\s+from/i", "",$string); $string=preg_replace("/insert\s+into/i", "",$string); $string=preg_replace("/show\s+(databases|tables|index|columns)/i", "",$string); $string=preg_replace("/alter\s+(database|table)/i", "",$string); //防js注入 $string=preg_replace("/(eval|alert|prompt|msgbox)\s*\(.*\)/i", "",$string); $string=preg_replace("/script/i", "",$string); $string=preg_replace("/\w+\s*=\s*(\"|')?(java|vb)script:\S*(\"|')?/i", "",$string); $array[$k] = $string; } else if (is_array($v)) { $array[$k] = array_safe_replace($v); } } return $array; } //返回过滤后的请求数据 if($_GET)$_GET = array_safe_replace($_GET); if($_POST)$_POST = array_safe_replace($_POST);