Prerequisite is that we need to have the server's administrative rights, that is, you can modify the php.ini file, the following I would like to introduce the modification of PHP configuration file to prevent SQL injection method has to learn the friend can refer to.
To be safe, you can open the Safe mode of the "php.ini" file, set "Safe_mode=on", and the "display_erros" option that displays the PHP execution error message will return a lot of available information to the intruder if it is turned on, so set it to " Display_erros=off "so that the information after the PHP function execution error will not be displayed in the client's browser.
In addition, there is a very important configuration option in the file, if the "MAGIC_QUOTES_GPC" item is set to "on", the PHP program automatically converts the user-submitted variables to include "'", "" "," "and" "automatically into the escape character with backslash. This option is similar to the parameter filtering in ASP programs, which can be used to prevent most character injection attacks.
A program is pretty good if you don't have server admin rights
| The code is as follows |
Copy Code |
Class Sqlsafe {
Private $getfilter = "' | (And|or) \b.+? (>|<|=|in|like) |\/\*.+?\*\/|<\s*script\b|\bexec\b| Union.+? Select| Update.+? Set| Insert\s+into.+? values| (select| DELETE). +? From| (create| alter| drop| TRUNCATE) \s+ (table| DATABASE) ";
Private $postfilter = "\b (and|or) \b.{1,6}?" (=|>|<|\bin\b|\blike\b) |\/\*.+?\*\/|<\s*script\b|\bexec\b| Union.+? Select| Update.+? Set| Insert\s+into.+? values| (select| DELETE). +? From| (create| alter| drop| TRUNCATE) \s+ (table| DATABASE) ";
Private $cookiefilter = "\b (and|or) \b.{1,6}?" (=|>|<|\bin\b|\blike\b) |\/\*.+?\*\/|<\s*script\b|\bexec\b| Union.+? Select| Update.+? Set| Insert\s+into.+? values| (select| DELETE). +? From| (create| alter| drop| TRUNCATE) \s+ (table| DATABASE) ";
/**
* Constructor function
*/
Public Function __construct () {
foreach ($_get as $key = $value) {$this->stopattack ($key, $value, $this->getfilter);}
foreach ($_post as $key = $value) {$this->stopattack ($key, $value, $this->postfilter);}
foreach ($_cookie as $key = $value) {$this->stopattack ($key, $value, $this->cookiefilter);}
}
/**
* parameter check and write log
*/
Public Function Stopattack ($StrFiltKey, $StrFiltValue, $ArrFiltReq) {
if (Is_array ($StrFiltValue)) $StrFiltValue = implode ($StrFiltValue);
if (Preg_match ("/". $ArrFiltReq. " /is ", $StrFiltValue) = = 1) {
$this->writeslog ($_server["REMOTE_ADDR"]. " ". Strftime ("%y-%m-%d%h:%m:%s ")." ". $_server[" Php_self "]." ". $_server[" Request_method "]." ". $StrFiltKey." ". $StrFiltValue);
ShowMsg (' You submitted the parameter is illegal, the system has recorded your this operation! ', ', 0, 1);
}
}
/**
* SQL injection Log
*/
Public Function Writeslog ($log) {
$log _path = cache_path. ' Logs '. Directory_separator. ' Sql_log.txt ';
$ts = fopen ($log _path, "A +");
Fputs ($ts, $log. " RN ");
Fclose ($ts);
}
}
?> |
http://www.bkjia.com/PHPjc/629633.html www.bkjia.com true http://www.bkjia.com/PHPjc/629633.html techarticle prerequisite is that we need to have the server's administrative rights, that is, you can modify the php.ini file, the following I would like to introduce the modified PHP configuration file to prevent SQL injection method has to learn the friend can ...
