Php application security protection technology research _ PHP Tutorial

Source: Internet
Author: User
Tags php write
Php application security protection technology research. PHP Security Defense program model Copy code: * PHP anti-injection cross-site V1.0 add at the top of your page: require ("menzhi_injection.php"); to achieve general prevention of SQL injection, PHP Security Defense program model

The code is as follows:

/* PHP anti-injection cross-site V1.0
Add require ("menzhi_injection.php") at the top of your page ");
To prevent SQL injection and cross-site XSS vulnerabilities.
################## Defects and improvements ##################
There are still many defects in the program. I hope you can help improve it.
################## Reference and appreciation ##################
Neeao 'asp SQL universal anti-injection program V3.0
Some code can be found in Discuz!
Error_reporting (0 );
Define ('Magic _ QUOTES_GPC ', get_magic_quotes_gpc ());
$ Menzhi_injection = "'|; | and | (|) | exec | insert | select | delete | update | count | * | % | chr | mid | master | truncate | or | char | declare ";
$ Menzhi_injection = explode ("|", $ menzhi_injection );
Foreach (array ('_ get',' _ post', '_ COOKIE', '_ request') as $ _ REQUEST ){
Foreach ($ _ request as $ _ key => $ _ value ){
// $ _ Value = strtolower ($ _ value );
$ _ Key {0 }! = '_' & $ _ Key = daddslashes ($ _ value );
Foreach ($ menzhi_injection as $ kill_key => $ kill_value ){
If (substr_count ($ _ value, $ kill_value)> 0 ){
Echo "";
Unset ($ _ value );
Exit ();
// Echo"
". $ _ Value;
Function daddslashes ($ string ){
If (is_array ($ string )){
Foreach ($ string as $ key => $ val ){
$ String [$ key] = daddslashes ($ val );
} Else {
$ String = addslashes ($ string );
$ String = preg_replace ('/& (# (\ d {} | x [a-fA-F0-9] {4});)/', '& \ 1 ', str_replace (array ('&', '"', '<', '>'), array ('&', '"', '<', '> '), $ string ));
Return $ string;

Instructions for Use
Add "require (" menzhi_injection.php ");" at the top of your page to prevent SQL injection and cross-site XSS vulnerabilities. To call this program, we use require () instead of include (), because if the require () call file fails, the program will be terminated. include () does not care. In addition, when require () calls a file, the program first calls the file. Inculde () is run to this row before execution starts. Based on the function features, we select require (). You can also add or delete filter characters in the $ menzhi_injection variable as needed to achieve better defense. In addition, you can modify the code on your own, which may be an unexpected result. Normal injection can defend against attacks. The following test is only for ridicule. the test result of a Trojan is as follows:

Hey, you can call it at the top of your page. Remember "require (" menzhi_injection.php. This is just a gimmick of interest to everyone. Please test it on your own.
Defects and to be improved
Because this program is only an external call, it only processes the variables submitted by the external, and does not perform system analysis on your application, so there are many limitations, please use it with caution. For programs using GBK encoding, there is also a risk of dual-byte encoding, although this program can handle this vulnerability. However, to curb these vulnerabilities, we still need to start from the root cause. To process the database connection file, we can add character_set_client = binary. Discuz! 7.0 of database connection classes db_mysql.class.php write very well, you can refer to for reference. Of course, these are not the scope of this small program.
In addition, this program does not filter the $ _ SERVER $ _ ENV $ _ FILES system variables. For example, when the $ _ SERVER ['http _ X_FORWARDED_FOR '] system obtains an IP address, hackers can hijack and modify the original HTTP request package to change its value. this program can handle these vulnerabilities. But as a programmer, what we need is to process external variables at the root of the source, to prevent them from happening before they happen. let's plan ahead.
The program is very messy. You are welcome to test it. please contact me if you have any suggestions.
Finally, I wish you a successful learning and a smooth job. I would like to pay tribute to all the PHPers who have worked hard.

The authorization code is as follows:/* PHP anti-injection cross-site V1.0 add at the top of your page: require ("menzhi_injection.php"); to achieve general protection against SQL injection ,...

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.