随心的博客

好记性不如个烂笔头,随心记录!

返回顶部

PHP防止跨站攻击的脚本

直接把该文件放置到入口文件中即可防止对应的跨站攻击

 1 <?php
 2 //防止跨站攻击脚本
 3 $referer=empty($_SERVER['HTTP_REFERER']) ? array() : array($_SERVER['HTTP_REFERER']);
 4 function customError($errno, $errstr, $errfile, $errline)
 5 { 
 6     echo "<b>Error number:</b> [$errno],error on line $errline in $errfile<br />";
 7     die();
 8 }
 9 set_error_handler("customError",E_ERROR);
10 
11 $getfilter="'|<[^>]*?>|^\\+\/v(8|9)|\\b(and|or)\\b.+?(>|<|=|\\bin\\b|\\blike\\b)|\\/\\*.+?\\*\\/|<\\s*script\\b|\\bEXEC\\b|UNION.+?SELECT|UPDATE.+?SET|INSERT\\s+INTO.+?VALUES|(SELECT|DELETE).+?FROM|(CREATE|ALTER|DROP|TRUNCATE)\\s+(TABLE|DATABASE)";
12 $postfilter="^\\+\/v(8|9)|\\b(and|or)\\b.{1,6}?(=|>|<|\\bin\\b|\\blike\\b)|\\/\\*.+?\\*\\/|<\\s*script\\b|<\\s*img\\b|\\bEXEC\\b|UNION.+?SELECT|UPDATE.+?SET|INSERT\\s+INTO.+?VALUES|(SELECT|DELETE).+?FROM|(CREATE|ALTER|DROP|TRUNCATE)\\s+(TABLE|DATABASE)";
13 $cookiefilter="\\b(and|or)\\b.{1,6}?(=|>|<|\\bin\\b|\\blike\\b)|\\/\\*.+?\\*\\/|<\\s*script\\b|\\bEXEC\\b|UNION.+?SELECT|UPDATE.+?SET|INSERT\\s+INTO.+?VALUES|(SELECT|DELETE).+?FROM|(CREATE|ALTER|DROP|TRUNCATE)\\s+(TABLE|DATABASE)";
14 function StopAttack($StrFiltKey,$StrFiltValue,$ArrFiltReq){  
15 
16     $StrFiltValue=arr_foreach($StrFiltValue);
17     if (preg_match("/".$ArrFiltReq."/is",$StrFiltValue)==1){   
18             refreshto("http://www.qp1001.com","您的提交带有不合法参数,谢谢合作!");
19             exit();
20     }
21     if (preg_match("/".$ArrFiltReq."/is",$StrFiltKey)==1){   
22             refreshto("http://www.qp1001.com","您的提交带有不合法参数,谢谢合作!");
23             exit();
24     }  
25 } 
26 
27 foreach($_GET as $key=>$value){ 
28     StopAttack($key,$value,$getfilter);
29 }
30 foreach($_POST as $key=>$value){ 
31     StopAttack($key,$value,$postfilter);
32 }
33 foreach($_COOKIE as $key=>$value){ 
34     StopAttack($key,$value,$cookiefilter);
35 }
36 foreach($referer as $key=>$value){ 
37     StopAttack($key,$value,$getfilter);
38 }
39 
40 function arr_foreach($arr) {
41     static $str;
42     if (!is_array($arr)) {
43     return $arr;
44     }
45     foreach ($arr as $key => $val ) {
46 
47     if (is_array($val)) {
48         arr_foreach($val);
49     } else {
50 
51       $str[] = $val;
52     }
53     }
54     return implode($str);
55 }
56 ?>

 

posted @ 2013-07-05 10:13  yangphp  阅读(567)  评论(0编辑  收藏  举报