PHP implementation to prevent cross-site and XSS attack steps detailed

This time to bring you PHP implementation to prevent cross-site and XSS attack steps in detail, PHP implementation to prevent cross-site and XSS attacks on the attention of what, the following is the actual case, take a look.

Document Description:

1. Upload the waf.php to the directory of the files to be included

2. To add protection to the page, there are two ways to do so, depending on the situation two, select one:

a). Add code to the page you need to protect

Require_once (' waf.php ');

Can do page anti-injection, cross-site

If you want to prevent the whole station, it is in a common file of the website, such as database link file config.inc.php!

Add require_once('waf.php'); to invoke this code

Frequently used PHP system to add files

Phpcms V9 \phpcms\base.php
PHPWIND8.7 \data\sql_config.php
DEDECMS5.7 \data\common.inc.php
DiscuzX2 \config\config_global.php
Wordpress \wp-config.php
Metinfo \include\head.php

b). Add code at the top of each file

Found in php.ini:

Automatically add files before or after any PHP document.

Auto_prepend_file = waf.php path;

PHP file waf.php

<?php/* Cloud Physical Examination Universal Vulnerability Protection Patch v1.1 UPDATED: 2013-05-25 function Description: Protection Xss,sql, code execution, file contains a variety of high-risk vulnerabilities */$url _arr=array (' xss ' = ') \\=\\+\\/v ( ?: 8|9|\\+|\\/) |\\%0acontent\\-(?: id|location|type|transfer\\-encoding) "," $args _arr=array (' xss ' = "\ \ \ \ \\\" \ \;\\*\\<\\>].*\\bon[a-za-z]{3,15}[\\s\\r\\n\\v\\f]*\\=|\\b (?: expression) \ \ (|\\<script[\\s\\\\\\/]|\\ <\\!\\[cdata\\[|\\b (?: Eval|alert|prompt|msgbox) \\s*\\ (|url\\ (?: \ \#|data|javascript) ", ' sql ' = =" [^\\{\\s]{1} (\\s|\\b) + (?: Select\\b|update\\b|insert (?:( \\/\\*.*?\\*\\/)| (\\s) | (\\+)) +into\\b). +? (?: from\\b|set\\b) | [^\\{\\s]{1} (\\s|\\b) + (?: Create|delete|drop|truncate|rename|desc) (?:( \\/\\*.*?\\*\\/)| (\\s) | (\\+)) + (?: table\\b|from\\b|database\\b) |into (?:( \\/\\*.*?\\*\\/) |\\s|\\+) + (?:d ump|out) file\\b|\\bsleep\\ ([\\s]*[\\d]+[\\s]*\\) |benchmark\\ ([^\\,]*] \ \ ([^\\,] *)\\)| (?:d eclare|set|select) \\b.*@|union\\b.* (?: Select|all) \\b| (?: Select|update|insert|create|delete|drop|grant|truncate|rename|exec|desc|from|table|database|set|where) \\b.* (Charset|ascii|bin|char|uncompresS|concat|concat_ws|conv|export_set|hex|instr|left|load_file|locate|mid|sub|substring|oct|reverse|right|unhex) \ \(| (?: master\\.\\.sysdatabases|msysaccessobjects|msysqueries|sysmodules|mysql\\.db|sys\\.database_name| information_schema\\.| Sysobjects|sp_makewebtask|xp_cmdshell|sp_oamethod|sp_addextendedproc|sp_oacreate|xp_regread|sys\\.dbms_export_ extension) ", ' other ' = ' \\.\\. [\\\\\\/].*\\%00 ([^0-9a-fa-f]|$) |%0 0[\\ ' \\\ "\ \.]"); $referer =empty ($_server[' http_referer ')? Array (): Array ($_server[' http_referer '); $query _string=empty ($_server["query_string"])? Array (): Array ($_server["query_string"]), Check_data ($query _string, $url _arr), Check_data ($_get, $args _arr); check_ Data ($_post, $args _arr), Check_data ($_cookie, $args _arr), Check_data ($referer, $args _arr), function W_log ($log) {$ logpath=$_server["Document_root"]. "  /log.txt ";  $log _f=fopen ($logpath, "A +"); Fputs ($log _f, $log. "  \ r \ n "); Fclose ($log _f);} function Check_data ($arr, $v) {foreach ($arr as $key = $value) {if (!is_array ($key)) {Check ($keY, $v);}  else {check_data ($key, $v);}  if (!is_array ($value)) {check ($value, $v);} else {check_data ($value, $v);}}} function Check ($str, $v) {foreach ($v as $key = $value) {if (Preg_match ("/". $value. " /is ", $str) ==1| | Preg_match ("/". $value. " /is ", UrlEncode ($STR)) ==1) {//w_log (" <br>ip: ". $_server[" REMOTE_ADDR "]." <br> time: ". Strftime ("%y-%m-%d%h:%m:%s ")." <br> page: ". $_server[" Php_self "]." <br> Submission Method: ". $_server[" Request_method "]."      <br> submit data: ". $str);      Print "Your submission with illegal parameters, thank you for your cooperation";    Exit (); }}}?>

Believe that you have read the case of this article you have mastered the method, more exciting please pay attention to the PHP Chinese network other related articles!

Recommended reading:

PHP using the foreach Transform array steps

PHP Delete a one-dimensional array of value elements steps in detail