Organize PHP anti-injection and XSS attack Universal filtering, phpxss_php tutorial

Organize PHP anti-injection and XSS attack Universal filtering, PHPXSS

There are many ways to launch an XSS attack on your Web site, and just using some of the built-in filter functions of PHP is not a good deal, even if you will Filter_var,mysql_real_escape_string,htmlentities,htmlspecialchars , strip_tags These functions are used or not guaranteed to be absolutely secure.

So how do you prevent XSS injections? The main still needs to be considered in the user data filtering, here is not a complete summary of the next few Tips

1. Assume that all user input data is "evil"
2. Weakly typed scripting languages must be consistent in type and expectation
3. Thoughtful regular expressions
4. Functions such as strip_tags and htmlspecialchars are very useful
5. External Javascript is not necessarily reliable
6. It is important to note that the quotation marks are filtered
7. Remove unnecessary HTML comments
8. Exploer Please let me go ...

Method one, using PHP htmlentities function

Example

PHP prevents XSS Cross-site scripting attacks by using the Htmlspecialchars () function for illegal HTML code including single and double quotes.
When using the Htmlspecialchars () function, note the second argument, directly with the Htmlspecialchars ($string), the second parameter is Ent_compat, the function defaults to only the conversion of double quotation marks ("), do not escape the single quotation mark (') .

So, the Htmlspecialchars function has more time to add the second parameter, which should be used: Htmlspecialchars ($string, ent_quotes). Of course, if you need not convert how the quotation marks, With Htmlspecialchars ($string, ent_noquotes).
In addition, as far as possible to use Htmlentities, in all English time htmlentities and htmlspecialchars no difference, can achieve the goal. However, in Chinese, htmlentities translates all HTML code, Along with its unrecognized Chinese characters are also converted.
Htmlentities and Htmlspecialchars These two functions of the "string support is not good, can not be converted, so with htmlentities and Htmlspecialchars converted strings can only prevent XSS attacks, Cannot prevent SQL injection attacks.

All printed statements, such as Echo,print, should be filtered using htmlentities () before printing, which prevents XSS, note that the Chinese will write Htmlentities ($name, ent_noquotes,gb2312).

Method Two, nothing more to say we give a function

Example

function Xss_clean ($data) {//Fix &entity\n; $data =str_replace (' & ', ' < ', ' > '), Array (' & ', ' < ' > '), $data); $data =preg_replace ('/(&#*\w+) [\x00-\x20]+;/u ', ' $ $; ', $data); $data =preg_replace ('/(& #x *[0-9a-f]+); */iu ', ' $ $; ', $data); $data =html_entity_decode ($data, Ent_compat, ' UTF-8 '); Remove any attribute starting with "on" or xmlns $data =preg_replace (' # (<[^>]+?[ \x00-\x20 "\"]) (?: O N|XMLNS) [^>]*+> #iu ', ' $1> ', $data); Remove Javascript:and vbscript:protocols $data =preg_replace (' # ([a-z]*) [\x00-\x20]*=[\x00-\x20]* (['] ' "]*) [ \x00-\x20]*j[\x00-\x20]*a[\x00-\x20]*v[\x00-\x20]*a[\x00-\x20]*s[\x00-\x20]*c[\x00-\x20]*r[\x00-\x20]*i[ \x00-\x20]*p[\x00-\x20]*t[\x00-\x20]*: #iu ', ' $1=$2nojavascript ... ', $data); $data =preg_replace (' # ([a-z]*) [\x00-\x20]*= ([\ ']]*) [\x00-\x20]*v[\x00-\x20]*b[\x00-\x20]*s[\x00-\x20]*c[ \x00-\x20]*r[\x00-\x20]*i[\x00-\x20]*p[\x00-\x20]*t[\x00-\x20]*: #iu ', ' $1=$2novbscript ... ', $data); $data =preg_replace (' # ([a-z]*) [\x00-\x20]*= ([\ ' "]*) [\x00-\x20]*-moz-binding[\x00-\x20]*: #u ', ' $1=$2nomozbinding ... ', $data);  Only works in IE:$data =preg_replace (' # (<[^>]+?) style[\x00-\x20]*=[\x00-\x20]*[' \ ' "]*.*?expression[\x00-\x20]*\ ([^>]*+> #i ', ' $1> ', $data); $data =preg_replace (' # (<[^>]+?) style[\x00-\x20]*=[\x00-\x20]*[' \ ' "]*.*?behaviour[\x00-\x20]*\ ([^>]*+> #i ', ' $1> ', $data); $data =preg_replace (' # (<[^>]+?) style[\x00-\x20]*=[\x00-\x20]*[' \ ' "]*.*?s[\x00-\x20]*c[\x00-\x20]*r[\x00-\x20]*i[\x00-\x20]*p[\x00-\x20]*t[ \x00-\x20]*:* [^>]*+> #iu ', ' $1> ', $data); Remove namespaced Elements (we do not need them) $data =preg_replace (' #
 ]*+> #i ', ', $data); do{//Remove really unwanted tags $old _data= $data; $data =preg_replace (' #
 ]*+> #i ', ', $data); }while ($old _data!== $data); We are done ... return $data;}

Method Three:

<?php//php anti-injection and XSS attack universal filtering. by Qq:831937$_get && Safefilter ($_get) $_post && safefilter ($_post); $_cookie && safefilt ER ($_cookie); Function Safefilter (& $arr) {$ra =array ('/([\x00-\x08,\x0b-\x0c,\x0e-\x19])/', '/script/', '/javascript/', '/ vbscript/', '/expression/', '/applet/', '/meta/', '/xml/', '/blink/', '/link/', '/style/', '/embed/', '/object/', '/ frame/', '/layer/', '/title/', '/bgsound/', '/base/', '/onload/', '/onunload/', '/onchange/', '/onsubmit/', '/onreset/' , '/onselect/', '/onblur/', '/onfocus/', '/onabort/', '/onkeydown/', '/onkeypress/', '/onkeyup/', '/onclick/', '/       ondblclick/', '/onmousedown/', '/onmousemove/', '/onmouseout/', '/onmouseover/', '/onmouseup/', '/onunload/'); if (Is_array ($arr)) {foreach ($arr as $key = + $value) {if (!is_array ($value)) {if          (!GET_MAGIC_QUOTES_GPC ())//Do not use Addslashes () for MAGIC_QUOTES_GPC escaped characters and avoid double escaping.           {$value = addslashes ($value); Give single quotation marks ('), double quotation marks ("),backslash (\) with NUL (NULL character) plus backslash escape} $value = Preg_replace ($ra, ", $value); Remove nonprinting characters, brute-filtering XSS suspicious string $arr [$key] = Htmlentities (Strip_tags ($value));        Remove HTML and PHP markup and convert to HTML entity} else {safefilter ($arr [$key]); }}}}?>

http://www.bkjia.com/PHPjc/1054513.html www.bkjia.com true http://www.bkjia.com/PHPjc/1054513.html techarticle To organize PHP anti-injection and XSS attack general filtering, PHPXSS to the site to launch XSS attacks a variety of ways, just use some of PHP's built-in filtering functions can not be dealt with, even if you will filte ...

