PHP正規(正則)表達式比對防止SQL注入

PHP正規(正則)表達式比對防止SQL注入

Comments 0 Comment

PHP正規(正則)表達式比對防止SQL注入

資料來源: http://www.51itstudy.com/it/article/2469.html

https://www.cnblogs.com/yydcdut/p/3496855.html

http://www.wuliaoy.com/pro/47.html

https://www.ctolib.com/topics-88220.html


01. 

<?php

include("config.php");
if($_GET["id"])
{
   $_GET["id"]=inject_check($_GET["id"]);
   echo $id;
}
 

function inject_check($sql_str) 
{
   $check= eregi('select|insert|update|delete|\'|\/\*|\*|\.\.\/|\.\/|union|into|load_file|outfile', $sql_str);
   if($check)
   {
    echo "非法字符!";
     exit();
   }else
   {
     return $sql_str;
   }
}
?>

02.

<?php 
function customError($errno, $errstr, $errfile, $errline) 
{ 
    echo "<b>Error number:</b> [$errno],error on line $errline in $errfile<br />"; 
    die(); 
}
 
set_error_handler("customError",E_ERROR); 
$getfilter="'|(and|or)\\b.+?(>|<|=|in|like)|\\/\\*.+?\\*\\/|<\\s*script\\b|\\bEXEC\\b|UNION.+?SELECT|UPDATE.+?SET|INSERT\\s+INTO.+?VALUES|(SELECT|DELETE).+?FROM|(CREATE|ALTER|DROP|TRUNCATE)\\s+(TABLE|DATABASE)"; 
$postfilter="\\b(and|or)\\b.{1,6}?(=|>|<|\\bin\\b|\\blike\\b)|\\/\\*.+?\\*\\/|<\\s*script\\b|\\bEXEC\\b|UNION.+?SELECT|UPDATE.+?SET|INSERT\\s+INTO.+?VALUES|(SELECT|DELETE).+?FROM|(CREATE|ALTER|DROP|TRUNCATE)\\s+(TABLE|DATABASE)"; 
$cookiefilter="\\b(and|or)\\b.{1,6}?(=|>|<|\\bin\\b|\\blike\\b)|\\/\\*.+?\\*\\/|<\\s*script\\b|\\bEXEC\\b|UNION.+?SELECT|UPDATE.+?SET|INSERT\\s+INTO.+?VALUES|(SELECT|DELETE).+?FROM|(CREATE|ALTER|DROP|TRUNCATE)\\s+(TABLE|DATABASE)"; 

function StopAttack($StrFiltKey,$StrFiltValue,$ArrFiltReq)
{    
    if(is_array($StrFiltValue)) 
    { 
        $StrFiltValue=implode($StrFiltValue); 
    } 
    if (preg_match("/".$ArrFiltReq."/is",$StrFiltValue)==1&&!isset($_REQUEST['securityToken']))
    { 
        slog("<br><br>操作IP: ".$_SERVER["REMOTE_ADDR"]."<br>操作时间: ".strftime("%Y-%m-%d %H:%M:%S")."<br>操作页面:".$_SERVER["PHP_SELF"]."<br>提交方式: ".$_SERVER["REQUEST_METHOD"]."<br>提交参数: ".$StrFiltKey."<br>提交数据: ".$StrFiltValue); 
        print "result notice:Illegal operation!"; 
        exit(); 
    } 
} 
foreach($_GET as $key=>$value)
{ 
    StopAttack($key,$value,$getfilter); 
} 
foreach($_POST as $key=>$value)
{ 
    StopAttack($key,$value,$postfilter); 
} 
foreach($_COOKIE as $key=>$value)
{ 
    StopAttack($key,$value,$cookiefilter); 
} 
   
function slog($logs) 
{ 
    $toppath="log.htm"; 
    $Ts=fopen($toppath,"a+"); 
    fputs($Ts,$logs."\r\n"); 
    fclose($Ts); 
} 
?>

03.

<?php
function strCheck($str)
{
    $check = preg_match('/select|insert|update|delete|\#|\'|\\*|\*|\.\.\/|\.\/|union|into|load_file|outfile/i', $str);
    if ($check) {
        exit("<script>
                alert('请勿非法操作!');
                window.history.back(-1);    
            </script>");
    } else {
        return $str;
    }
}

$loginname = strCheck($_POST["loginname"]);
?>

04. 

<?PHP
//https://www.ctolib.com/topics-88220.html
//PHP整站防注入程序,需要在公共文件中require_once本文件
//判断magic_quotes_gpc状态
if (@get_magic_quotes_gpc ()) 
{
	$_GET = sec ( $_GET );
	$_POST = sec ( $_POST );
	$_COOKIE = sec ( $_COOKIE );
	$_FILES = sec ( $_FILES );
}

$_SERVER = sec ( $_SERVER );

function sec(&$array)
{
	//如果是数组,遍历数组,递归调用
	if (is_array ( $array ))
	{
		foreach ( $array as $k => $v )
		{
			$array [$k] = sec ( $v );
		}
	} else if (is_string ( $array )) 
	{
		//使用addslashes函数来处理
		$array = addslashes ( $array );
	} 
	else if (is_numeric ( $array )) 
	{
		$array = intval ( $array );
	}
	return $array;
}

//整型过滤函数
function num_check($id) 
{
	if (! $id)
	{
		die ( '参数不能为空!' );
	} //是否为空的判断
	else if (inject_check ( $id )) 
	{
		die ( '非法参数' );
	} //注入判断
	else if (! is_numetic ( $id )) 
	{
		die ( '非法参数' );
	}
	//数字判断
	$id = intval ( $id );
	//整型化
	return $id;
}

//字符过滤函数
function str_check($str)
{
	if (inject_check ( $str ))
	{
		die ( '非法参数' );
	}
	//注入判断
	$str = htmlspecialchars ( $str );
	//转换html
	return $str;
}

function search_check($str)
{
	$str = str_replace ( "_", "\_", $str );
	//把"_"过滤掉
	$str = str_replace ( "%", "\%", $str );
	//把"%"过滤掉
	$str = htmlspecialchars ( $str );
	//转换html
	return $str;
}

//表单过滤函数
function post_check($str, $min, $max)
{
	if (isset ( $min ) && strlen ( $str ) < $min) {
	die ( '最少$min字节' );
	} else if (isset ( $max ) && strlen ( $str ) > $max) {
	die ( '最多$max字节' );
	}
	return stripslashes_array ( $str );
}

//防注入函数
function inject_check($sql_str)
{
	return eregi ( 'select|inert|update|delete|\'|\/\*|\*|\.\.\/|\.\/|UNION|into|load_file|outfile', $sql_str );
	// 进行过滤,防注入
}

function stripslashes_array(&$array)
{
	if (is_array ( $array ))
	{
		foreach ( $array as $k => $v )
		{
			$array [$k] = stripslashes_array ( $v );
		}
	}
	else if (is_string ( $array ))
	{
		$array = stripslashes ( $array );
	}
	return $array;
}
?>

發表迴響

你的電子郵件位址並不會被公開。 必要欄位標記為 *