This article summarizes almost all possible PHP anti-SQL Injection code.
Determine the XP_CMDSHELL executable status
WEB virtual directory discovered
Upload ASP, php, and jsp Trojans;
Obtain the Administrator permission;
// PHP full-site anti-injection program, which must be included in the public file require_once
// Determine the magic_quotes_gpc status
If (@ get_magic_quotes_gpc ()){
$ _ GET = sec ($ _ GET );
$ _ POST = sec ($ _ POST );
$ _ COOKIE = sec ($ _ COOKIE );
$ _ FILES = sec ($ _ FILES );
}
$ _ SERVER = sec ($ _ SERVER );
Function sec (& $ array ){
// If it is an array, traverse the array and call it recursively
If (is_array ($ array )){
Foreach ($ array as $ k => $ v ){
$ Array [$ k] = sec ($ v );
}
} Else if (is_string ($ array )){
// Use the addslashes function for processing
$ Array = addslashes ($ array );
} Else if (is_numeric ($ array )){
$ Array = intval ($ array );
}
Return $ array;
}
1. Integer parameter judgment
When the input parameter YY is an integer, the SQL statement in abc. asp is generally as follows:
Select * from table name where field = YY, so you can use the following steps to test whether SQL Injection exists.
① HTTP: // xxx. xxx. xxx/abc. asp? P = YY '(with a single quotation mark attached), the SQL statement in abc. ASP becomes
Select * from table name where field = YY ', abc. asp running exception;
② HTTP: // xxx. xxx. xxx/abc. asp? P = YY and 1 = 1, abc. asp is running normally, and it works properly with HTTP: // xxx. xxx. xxx/abc. asp? P = YY: The running result is the same;
③ HTTP: // xxx. xxx. xxx/abc. asp? P = YY and 1 = 2, abc. asp running exception;
If the preceding three steps are fully met, the SQL injection vulnerability exists in abc. asp.
Function num_check ($ id ){
If (! $ Id ){
Die ('parameter cannot be blank! ');
} // Whether it is null
Else if (inject_check ($ id )){
Die ('invalid parameter ');
} // Injection judgment
Else if (! Is_numetic ($ id )){
Die ('invalid parameter ');
}
// Digital judgment
$ Id = intval ($ id );
// Integer
Return $ id;
}
// Character filtering function
Function str_check ($ str ){
If (inject_check ($ str )){
Die ('invalid parameter ');
}
// Injection judgment
$ Str = htmlspecialchars ($ str );
// Convert html
Return $ str;
}
Function search_check ($ str ){
$ Str = str_replace ("_", "_", $ str );
// Filter out "_"
$ Str = str_replace ("%", "%", $ str );
// Filter out "%"
$ Str = htmlspecialchars ($ str );
// Convert html
Return $ str;
}
// Form filter function
Function post_check ($ str, $ min, $ max ){
If (isset ($ min) & strlen ($ str) <$ min ){
Die ('minimum $ min byte ');
} Else if (isset ($ max) & strlen ($ str)> $ max ){
Die ('maximum $ max byte ');
}
Return stripslashes_array ($ str );
}
When the input parameter YY is a string, the SQL statement in abc. php is generally as follows:
Select * from table name where field = 'yy', so you can use the following steps to test whether SQL Injection exists.
① HTTP: // xxx. xxx. xxx/abc. php? P = YY '(with a single quotation mark attached), the SQL statement in abc. ASP becomes
Select * from table name where field = YY ', abc. asp running exception;
② HTTP: // xxx. xxx. xxx/abc. php? P = YY &; nb... 39; 1' = '1', abc. php runs normally, and it works with HTTP: // xxx. xxx. xxx/abc. asp? P = YY: The running result is the same;
③ HTTP: // xxx. xxx. xxx/abc. php? P = YY &; nb... 39; 1' = '2', abc. php running exception;
If the preceding three steps are fully met, the SQL injection vulnerability exists in abc. asp.
// Anti-injection Function
Function inject_check ($ SQL _str ){
Return eregi ('select | inert | update | delete | '|/* |.../|./| UNION | into | load_file | outfile', $ SQL _str );
// Filter and prevent Injection
}
Function stripslashes_array (& $ array ){
If (is_array ($ array )){
Foreach ($ array as $ k => $ v ){
$ Array [$ k] = stripslashes_array ($ v );
}
} Else if (is_string ($ array )){
$ Array = stripslashes ($ array );
}
Return $ array;
}
// Php batch filter post and get sensitive data
If (get_magic_quotes_gpc ()){
$ _ GET = stripslashes_array ($ _ GET );
$ _ POST = stripslashes_array ($ _ POST );
}
Function stripslashes_array (& $ array ){
While (list ($ key, $ var) = each ($ array )){
If ($ key! = 'Argc '& $ key! = 'Argv' & (strtoupper ($ key )! = $ Key | ''. intval ($ key) =" $ key ")){
If (is_string ($ var )){
$ Array [$ key] = stripslashes ($ var );
}
If (is_array ($ var )){
$ Array [$ key] = stripslashes_array ($ var );
}
}
}
Return $ array;
}
// Filter
Function htmlencode ($ str ){
If (empty ($ str) return;
If ($ str = "") return $ str;
$ Str = trim ($ str );
$ Str = str_replace ("&", "&", $ str );
$ Str = str_replace (">", ">", $ str );
$ Str = str_replace ("<", "<", $ str );
$ Str = str_replace (chr (32), "", $ str );
$ Str = str_replace (chr (9), "", $ str );
$ Str = str_replace (chr (9), "", $ str );
$ Str = str_replace (chr (34), "&", $ str );
$ Str = str_replace (chr (39), "'", $ str );
$ Str = str_replace (chr (13), "<br/>", $ str );
$ Str = str_replace ("'", "'' ", $ str );
$ Str = str_replace ("select", "select", $ str );
$ Str = str_replace ("SCRIPT", "SCRIPT", $ str );
$ Str = str_replace ("script", "script", $ str );
$ Str = str_replace ("join", "join", $ str );
$ Str = str_replace ("union", "union", $ str );
$ Str = str_replace ("where", "where", $ str );
$ Str = str_replace ("insert", "insert", $ str );
$ Str = str_replace ("delete", "delete", $ str );
$ Str = str_replace ("update", "update", $ str );
$ Str = str_replace ("like", "like", $ str );
$ Str = str_replace ("drop", "drop", $ str );
$ Str = str_replace ("create", "create", $ str );
$ Str = str_replace ("modify", "modify", $ str );
$ Str = str_replace ("rename", "rename", $ str );
$ Str = str_replace ("alter", "alter", $ str );
$ Str = str_replace ("cast", "cas", $ str );
Return $ str;
}
// Decoding
Function htmldecode ($ str ){
If (empty ($ str) return;
If ($ str = "") return $ str;
$ Str = str_replace ("select", "select", $ str );
$ Str = str_replace ("join", "join", $ str );
$ Str = str_replace ("union", "union", $ str );
$ Str = str_replace ("where", "where", $ str );
$ Str = str_replace ("insert", "insert", $ str );
$ Str = str_replace ("delete", "delete", $ str );
$ Str = str_replace ("update", "update", $ str );
$ Str = str_replace ("like", "like", $ str );
$ Str = str_replace ("drop", "drop", $ str );
$ Str = str_replace ("create", "create", $ str );
$ Str = str_replace ("modify", "modify", $ str );
$ Str = str_replace ("rename", "rename", $ str );
$ Str = str_replace ("alter", "alter", $ str );
$ Str = str_replace ("cas", "cast", $ str );
$ Str = str_replace ("&", "&", $ str );
$ Str = str_replace (">", ">", $ str );
$ Str = str_replace ("<", "<", $ str );
$ Str = str_replace ("", chr (32), $ str );
$ Str = str_replace ("", chr (9), $ str );
$ Str = str_replace ("", chr (9), $ str );
$ Str = str_replace ("&", chr (34), $ str );
$ Str = str_replace ("'", chr (39), $ str );
$ Str = str_replace ("<br/>", chr (13), $ str );
$ Str = str_replace ("'' "," '", $ str );
Return $ str;
}
// Function: string_filter ($ string, $ match_type = 1)
// Function: filter illegal content
// Parameters:
// $ String to be checked
// $ Match_type: exact match; fuzzy match; default value: 1
//
// Return: if illegal content exists, True is returned. If no illegal content exists, False is returned.
// Others: the list of illegal keywords is saved in the txt file, which is divided into two lists: Common and severe illegal keywords
// Author: heiyeluren
// Time: 2006-1-18
//
// ================================================ ======================================
Function lib_lawless_string_filter ($ string, $ match_type = 1)
{
// If the string is null, the returned result is invalid.
$ String = trim ($ string );
If (empty ($ string ))
{
Return false;
}
// Obtain the list of important and common keywords
$ Common_file = "common_list.txt"; // list of common filter keywords
$ Signify_file = "signify_list.txt"; // list of important filter keywords
// If any list file does not exist, the system returns false; otherwise, the list of two files is read to two arrays.
If (! File_exists ($ common_file) |! File_exists ($ signify_file ))
{
Return false;
}
$ Common_list = file ($ common_file );
$ Signify_list = file ($ signify_file );
// Exact match
If ($ match_type = 1)
{
$ Is_lawless = exact_match ($ string, $ common_list );
}
// Fuzzy match
If ($ match_type = 2)
{
$ Is_lawless = blur_match ($ string, $ common_list, $ signify_list );
}
// Determine whether there is any data in the search result array. If yes, it turns out to be illegal.
If (is_array ($ is_lawless )&&! Empty ($ is_lawless ))
{
Return true;
}
Else
{
Return false;
}
}
//---------------------
// Exact match for the filtering Service
//---------------------
Function exact_match ($ string, $ common_list)
{
$ String = trim ($ string );
$ String = lib_replace_end_tag ($ string );
// Retrieve the list of common filter keywords
Foreach ($ common_list as $ block)
{
$ Block = trim ($ block );
If (preg_match ("/^ $ string $/I", $ block ))
{
$ Blist [] = $ block;
}
}
// Determine whether the filter content is in the array
If (! Empty ($ blist ))
{
Return array_unique ($ blist );
}
Return false;
}
//----------------------
// Fuzzy match for filtering
//----------------------
Function blur_match ($ string, $ common_list, $ signify_list)
{
$ String = trim ($ string );
$ S_len = strlen ($ string );
$ String = lib_replace_end_tag ($ string );
// Retrieve the list of common filter keywords
Foreach ($ common_list as $ block)
{
$ Block = trim ($ block );
If (preg_match ("/^ $ string $/I", $ block ))
{
$ Blist [] = $ block;
}
}
// Retrieve the list of severely filtered keywords
Foreach ($ signify_list as $ block)
{
$ Block = trim ($ block );
If ($ s_len> = strlen ($ block) & preg_match ("/$ block/I", $ string ))
{
$ Blist [] = $ block;
}
}
// Determine whether the filter content is in the array
If (! Empty ($ blist ))
{
Return array_unique ($ blist );
}
Return false;
}
//--------------------------
// Replace the HTML tail tag for the filtering Service
//--------------------------
Function lib_replace_end_tag ($ str)
{
If (empty ($ str) return false;
$ Str = htmlspecialchars ($ str );
$ Str = str_replace ('/', "", $ str );
$ Str = str_replace ("", "", $ str );
$ Str = str_replace ("& gt", "", $ str );
$ Str = str_replace ("& lt", "", $ str );
$ Str = str_replace ("<SCRIPT>", "", $ str );
$ Str = str_replace ("</SCRIPT>", "", $ str );
$ Str = str_replace ("<script>", "", $ str );
$ Str = str_replace ("</script>", "", $ str );
$ Str = str_replace ("select", "select", $ str );
$ Str = str_replace ("join", "join", $ str );
$ Str = str_replace ("union", "union", $ str );
$ Str = str_replace ("where", "where", $ str );
$ Str = str_replace ("insert", "insert", $ str );
$ Str = str_replace ("delete", "delete", $ str );
$ Str = str_replace ("update", "update", $ str );
$ Str = str_replace ("like", "like", $ str );
$ Str = str_replace ("drop", "drop", $ str );
$ Str = str_replace ("create", "create", $ str );
$ Str = str_replace ("modify", "modify", $ str );
$ Str = str_replace ("rename", "rename", $ str );
$ Str = str_replace ("alter", "alter", $ str );
$ Str = str_replace ("cas", "cast", $ str );
$ Str = str_replace ("&", "&", $ str );
$ Str = str_replace (">", ">", $ str );
$ Str = str_replace ("<", "<", $ str );
$ Str = str_replace ("", chr (32), $ str );
$ Str = str_replace ("", chr (9), $ str );
$ Str = str_replace ("", chr (9), $ str );
$ Str = str_replace ("&", chr (34), $ str );
$ Str = str_replace ("'", chr (39), $ str );
$ Str = str_replace ("<br/>", chr (13), $ str );
$ Str = str_replace ("'' "," '", $ str );
$ Str = str_replace ("css", "'", $ str );
$ Str = str_replace ("CSS", "'", $ str );
Return $ str;
// HTML tag, which can be used as extension Filter
/*
$ Tags = array ("/html", "/head", "/body", "/div", "/span", "/DOCTYPE", "/title ", "/link", "/meta", "/style", "/p", "/h1,", "/h2,", "/h3 ,", "/h4,", "/h5,", "/h6", "/strong", "/em", "/abbr", "/acronym ", "/address", "/bdo", "/blockquote", "/cite", "/q", "/code", "/ins", "/del ", "/dfn", "/kbd", "/pre", "/samp", "/var", "/br", "/a", "/img ", "/area", "/map", "/object", "/param", "/ul", "/ol", "/li", "/dl ", "/dt", "/dd", "/table", "/tr", "/td", "/th", "/tbody", "/thead ", "/tfoot", "/col", "/colgroup", "/caption", "/form", "/input", "/textarea", "/select ", "/option", "/optgroup", "/button", "/label", "/fieldset", "/legend", "/script", "/noscript ", "/B", "/I", "/tt", "/sub", "/sup", "/big", "/small ", "/hr ");
*/
}
The reference is like this:
$ Xxx = htmlspecialchars ($ _ POST ['xxx']);
Or
$ Xxx = htmlspecialchars ($ _ GET ['xxx']);
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
