PHP Security Anti-injection details _php Tutorial

Source: Internet
Author: User
We know that there are two ways to submit data on the Web, one is get, one is post, so many common SQL injections start with GET, and the injected statement must contain some SQL statements, because there is no SQL statement, then how to proceed, The SQL statement has four sentences: Select, update, delete, insert

So can we avoid these problems if we filter on the data we submit?
So we use the regular to build the following function:

The code is as follows Copy Code

/*
Function name: Inject_check ()
Function: Detects whether the submitted value is a character that contains SQL injections, prevents injections, and secures the server
Parameters: $sql _STR: Committed variables
Return value: Return test result, ture or False
Function Author: heiyeluren
*/

function Inject_check ($sql _str)

{

Return eregi (' select|insert|update|delete| ' | /*|*|.. /|. /|union|into|load_file|outfile ', $sql _str); To filter

}


In our function we put select,insert,update,delete, union, into, Load_file, outfile/*,./,. /, ' etc The dangerous parameter strings are all filtered out, then you can control the parameters of the submission, the program can be built like this:

The code is as follows Copy Code

if (Inject_check ($_get[' id '))

{

Exit (' The data you submitted is illegal, please check and resubmit! ');

}

Else

{

$id = $_get[' id '];

Echo ' submitted data is valid, please continue! ';

}

?>


Suppose we submit the URL as: a.php?id=1, then you will be prompted:
"The submitted data is valid, please continue!" "
If we submit a.php?id=1%27 select * FROM Tb_name
The prompt will appear: "The data you submitted is illegal, please check and resubmit!" "

Then we have reached our request.

However, the problem has not been resolved, if we are submitting a a.php?id=1asdfasdfasdf, we this is in line with the above rules, but it is not in line with the requirements, so we in order to possibly other circumstances, we build a function to check:

code as follows copy code
< p>/*
Function Name: verify_id ()
Function: Verify that the submitted ID class value is valid
Parameters: $id: Committed ID value
Return value: Returns the processed ID
function Author: heiyeluren
*/

Function verify_id ($id =null)

{

if (! $id) {exit (' No arguments are submitted!) '); }//whether NULL to determine

ElseIf (Inject_check ($id)) {exit (' argument submitted is illegal! '); }//Injection judgment

ElseIf (!is_numeric ($id)) {exit (' argument submitted is illegal! '); }//number to determine

$id = intval ($id);//integer

return $id;

}


Oh, then we can verify, so our program code is the following:

!--? php

If (Inject_check ($_get[' id '))

{

exit (' The data you submitted is illegal, please check and resubmit! ');

}

Else

{

$id = verify_id ($_get[' id '));//The filter function is referenced here, the $id filter

Echo ' submitted data is valid, please continue! ';

}

?>


Well, the problem seems to have been solved here, but have we considered the data of post submission, the large amount of data?
such as some characters may be harmful to the database, such as ' _ ', '% ', these characters have special meaning, then we control it? Another point is that when our php.ini inside the MAGIC_QUOTES_GPC = off, then the data submitted by the database does not conform to the rules are not automatically added to the front, then we have to control these problems, and then build the following function:

The code is as follows Copy Code

/*
Function name: Str_check ()
Function: Filter the submitted string
Parameter: $var: The string to be processed
Return value: Returns the filtered string
Function Author: heiyeluren
*/

function Str_check ($STR)

{

if (!GET_MAGIC_QUOTES_GPC ())//Determine if MAGIC_QUOTES_GPC is open

{

$str = Addslashes ($STR); To filter

}

$str = Str_replace ("_", "_", $str); Filter out the ' _ '

$str = str_replace ("%", "%", $str); Filter out the '% '

return $str;

}


OK, once again we have avoided the danger of the server being overrun.

Finally, consider submitting some large quantities of data, such as posting, or writing articles, news, we need some functions to help us filter and transform, and then on the basis of the above function, we construct the following function:

The code is as follows Copy Code

/*
Function name: Post_check ()
Function: Process the edited content of the submission
Parameters: $post: What to submit
return value: $post: Returns the filtered content
Function Author: heiyeluren
*/

function Post_check ($post)

{

if (!GET_MAGIC_QUOTES_GPC ())//Determine if MAGIC_QUOTES_GPC is open

{

$post = Addslashes ($post); To filter the submission data without opening the MAGIC_QUOTES_GPC

}

$post = Str_replace ("_", "_", $post); Filter out the ' _ '

$post = str_replace ("%", "%", $post); Filter out the '% '

$post = NL2BR ($post); Carriage return Conversion

$post = Htmlspecialchars ($post); HTML markup Conversions

return $post;

}

http://www.bkjia.com/PHPjc/629656.html www.bkjia.com true http://www.bkjia.com/PHPjc/629656.html techarticle We know that there are two ways to submit data on the Web, one is get, one is post, so many common SQL injections start with a Get method, and the injected statement must contain a ...

  • Related Article

    Contact Us

    The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

    If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

    A Free Trial That Lets You Build Big!

    Start building with 50+ products and up to 12 months usage for Elastic Compute Service

    • Sales Support

      1 on 1 presale consultation

    • After-Sales Support

      24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.