PHP anti-injection configuration and PHP anti-injection code

1. Upload safe.func.php to the directory of the files to be included

2. In the page to add protection, there are two ways, according to the situation two choose one:

a). Add code to the page you want to protect

Require_once (' safe.func.php ');
You can do the page to prevent injection, cross station
If you want to stop the whole station, it is in a common file in the website, such as the database link file config.inc.php!
Add require_once (' safe.func.php ') to invoke this code

The safe.func.php code is as follows:

The code is as follows

Copy Code

<?php /** * Anti-injection * * "<br><br> Operation IP:". $_server["REMOTE_ADDR"]. " <br> operation time: ". Strftime ("%y-%m-%d%h:%m:%s ")." <br> Action page: ". $_server[" Php_self "]." <br> Submission Method: ". $_server[" Request_method "." <br> Submit parameters: ". $StrFiltKey." <br> submit data: ". $StrFiltValue); */ function Safe_custom_error ($errno, $errstr, $errfile, $errline) { echo "<b>error number:</b> [$errno],error on line $errline in $errfile <br/>"; Die (); } Set_error_handler ("Safe_custom_error", e_error); function Safe_stop_attack ($k, $v, $method =0) { $filter = Array ( "'| (and|or). +? (>|<|=|in|like) |/*.+?*/|<s*script|exec| Union.+? Select| Update.+? Set| Inserts+into.+? values| (select| DELETE). +? From| (create| alter| drop| TRUNCATE) s+ (table| DATABASE) ",//get "(And|or). {1,6}? (=|>|<|in|like) |/*.+?*/|<s*script|exec| Union.+? Select| Update.+? Set| Inserts+into.+? values| (select| DELETE). +? From| (create| alter| drop| TRUNCATE) s+ (table| DATABASE) "//post, Cookie ); $filter = Isset ($filter [$method])? $filter [$method]: $filter [0]; if (Is_array ($v)) { $v = implode ($v); } if (Preg_match ("/") $filter. "/is", $v) = = 1) { Exit ("This operation is logged.) Please do not continue the illegal operation. "); } } if (Isset ($_get)) { foreach ($_get as $k => $v) safe_stop_attack ($k, $v, 0); } if (Isset ($_post)) { foreach ($_post as $k => $v) safe_stop_attack ($k, $v, 1); } if (Isset ($_cookie)) { foreach ($_cookie as $k => $v) safe_stop_attack ($k, $v, 1); }

Better for anti-SQL injection

The code is as follows

Copy Code

<?php /* Filter all get over variable */ foreach ($_get as $get _key=> $get _var) { if (is_numeric ($get _var)) { $get [Strtolo Wer ($get _key)] = Get_int ($get _var); } else { $get [Strtolower ($get _key)] = Get_str ($get _var); } } /* Filter all POST over variable */ foreach ($_post as $post _key=> $post _var) {  if (is_numeric ($post _var))  {    $post [Strtolower ($post _key)] = Get_int ($post _var);    else   {    $post [Strtolower ($post _key)] = Get_str ($post _var);  } } /* Filter function */ //integer filter function function Get_int ($number) {  return intval ($number); } //String filter function function get_str ($string) {  if (!GET_MAGIC_QUOTES_GPC ())  {    return addslashes ($string);  }  return $string; }

In addition to the direct injection in PHP we can also configure php.ini files

。 We first use any editing tool to open/usr/local/php/etc/php.ini, and if you are installing in a different way, the profile may not be in that directory.

(1) Open PHP Safe Mode PHP Safe mode is a very important embedded security mechanism, can control some PHP functions, such as system (),

At the same time, a lot of file operation functions are controlled by permissions, also do not allow some key file files, such as/etc/passwd,
But the default php.ini is not open safe mode, we turn it on:
Safe_mode = On

(2) User group security

When the Safe_mode is turned on, the Safe_mode_gid is turned off, so the PHP script can access the file and the same
Users of a group can also access files.
The recommended setting is:

Safe_mode_gid = Off If it is not set, we may not be able to operate on the files in our server web directory, such as we need
When you are working on a file.

(3) Safe Mode executable Program Home directory

If Safe mode is open, but you want to execute some programs, you can specify the home directory where you want to execute the program:

Safe_mode_exec_dir = D:/usr/bin

In general, there is no program to perform, so it is recommended not to execute the System program directory, you can point to a directory,
Then copy the program that needs to be executed, such as:

Safe_mode_exec_dir = D:/tmp/cmd

However, I recommend that you do not execute any programs, then you can point to our web directory:

Safe_mode_exec_dir = d:/usr/www

(4) Include files in Safe mode

If you want to include some public files in Safe mode, modify the options:

Safe_mode_include_dir = d:/usr/www/include/In fact, the general PHP script contains files are in the program itself has been written, this can be set according to the specific needs.

(5) Control the directory that the PHP script can access

Using the Open_basedir option to control PHP scripts can only access the specified directory, so that you can avoid PHP script access
Files that should not be accessed, to some extent limit the harm of phpshell, we can generally set to access only the site directory:

Open_basedir = d:/usr/www

(6) Close the dangerous function

If Safe mode is turned on, the function prohibition is not necessary, but we consider it for security. Like what
We don't feel like executing PHP functions that can execute commands, including system (), or can view PHP information
Phpinfo () and so on, then we can ban them:

Disable_functions = System,passthru,exec,shell_exec,popen,phpinfo If you want to disable the operation of any files and directories, you can turn off many file operations

Disable_functions = Chdir,chroot,dir,getcwd,opendir,readdir,scandir,fopen,unlink,delete,copy,mkdir, Rmdir,rename, File,file_get_contents,fputs,fwrite,chgrp,chmod,chown

The above is just a list of not commonly used file processing functions, you can also perform the above command function and this function combined,
will be able to resist most of the Phpshell.

(7) Turn off the disclosure of PHP version information in HTTP headers

In order to prevent hackers from obtaining information about the PHP version of the server, you can turn off the information ramp in the HTTP header:

expose_php = off such as hackers in Telnet www.12345.com 80, then will not be able to see the PHP information.

(8) Turning off registration of global variables

Variables submitted in PHP, including those submitted using post or get, are automatically registered as global variables and can be accessed directly.
This is very unsafe for the server, so we cannot have it registered as a global variable and turn off the registration global variable option:
Register_globals = Off
Of course, if you set this up, then you need to get the corresponding variable in a reasonable way, such as getting the variable var of get commit,
Then you need to use $_get[' var ' to get it, the PHP programmer should pay attention.

(9) Open MAGIC_QUOTES_GPC to prevent SQL injection

SQL injection is a very dangerous problem, small web site backstage was invaded, heavy the entire server fell,

So be sure to be careful. There is a setting in php.ini:

MAGIC_QUOTES_GPC = Off

This default is turned off, and if it is turned on, it will automatically convert the user to the SQL query.
For example, the ' switch ' and so on, which has a significant effect on preventing SQL injection. So we recommend setting it to:

MAGIC_QUOTES_GPC = On

(10) Error information control

General PHP is not connected to the database or other circumstances will be prompted error, the general error message will contain PHP script when
Before the path information or query SQL statements, such as information, such information provided to hackers, is not secure, so the general server recommended to prohibit error prompts:

Display_errors = Off If you are trying to display an error message, be sure to set the level at which the error is displayed, such as displaying only the information above the warning:

error_reporting = e_warning & E_error Of course, I recommend that you turn off the error prompts.

(11) Error log

It is recommended that the error message can be logged after the display_errors is turned off to make it easier to find out why the server is running:

Log_errors = On also to set the directory where the error log resides, it is recommended that the log of the root Apache be present together:

Error_log = D:/usr/local/apache2/logs/php_error.log Note: The file must allow Apache users and groups to have write permission.