Sort out php anti-injection and XSS attack filters _ php tips-php Tutorial

Source: Internet
Author: User
Tags printable characters
Many websites now have cross-site scripting vulnerabilities, allowing hackers to take advantage of them. cross-site attacks can be easily constructed and are very concealed and difficult to detect (usually jump back to the original page immediately after information is stolen ). We will not discuss how to defend against attacks here. There are many ways to launch XSS attacks on websites. some built-in filter functions in php alone cannot be used. even if you use filter_var, mysql_real_escape_string, htmlentities, and htmlspecialchars, strip_tags functions are used and cannot guarantee absolute security.

So how to prevent XSS injection? We still need to make a thorough consideration of user data filtering. here we do not fully summarize the following Tips:

1. assume that all user input data is "evil ".
2. the weak scripting language must ensure that the types are consistent with the expected ones.
3. well-considered regular expressions
4. functions such as strip_tags and htmlspecialchars are very useful.
5. external Javascript is not necessarily reliable.
6. special attention must be paid to quotation mark filtering.
7. remove unnecessary HTML comments
8. Exploer, please let me go ......

Method 1: Use the php htmlentities function


Php protects against XSS attacks by using the htmlspecialchars () function.
When using the htmlspecialchars () function, pay attention to the second parameter. if htmlspecialchars ($ string) is used directly, the second parameter defaults to ENT_COMPAT. by default, the function only converts double quotation marks ("). do not escape single quotes.

Therefore, the second parameter must be added to the htmlspecialchars function. you should use htmlspecialchars ($ string, ENT_QUOTES ). of course, if you do not need to convert the quotation marks, use htmlspecialchars ($ string, ENT_NOQUOTES ).
In addition, htmlentities should be used as few as possible. htmlentities and htmlspecialchars are no different in all English, so they can all be achieved. however, in Chinese, htmlentities will convert all html code, along with the unidentifiable Chinese characters in it.
The htmlentities and htmlspecialchars functions have poor support for strings like 'and cannot be converted. Therefore, strings converted using htmlentities and htmlspecialchars can only prevent XSS attacks and SQL injection attacks.

All printed statements, such as echo and print, must be filtered using htmlentities () before printing. This prevents Xss. Note that htmlentities ($ name, ENT_NOQUOTES, GB2312) must be written in Chinese ).

Method 2: Let's say nothing about a function.


function xss_clean($data){ // Fix &entity\n; $data=str_replace(array('&','<','>'),array('&','<','>'),$data); $data=preg_replace('/(&#*\w+)[\x00-\x20]+;/u','$1;',$data); $data=preg_replace('/(&#x*[0-9A-F]+);*/iu','$1;',$data); $data=html_entity_decode($data,ENT_COMPAT,'UTF-8'); // Remove any attribute starting with "on" or xmlns $data=preg_replace('#(<[^>]+?[\x00-\x20"\'])(?:on|xmlns)[^>]*+>#iu','$1>',$data); // Remove javascript: and vbscript: protocols $data=preg_replace('#([a-z]*)[\x00-\x20]*=[\x00-\x20]*([`\'"]*)[\x00-\x20]*j[\x00-\x20]*a[\x00-\x20]*v[\x00-\x20]*a[\x00-\x20]*s[\x00-\x20]*c[\x00-\x20]*r[\x00-\x20]*i[\x00-\x20]*p[\x00-\x20]*t[\x00-\x20]*:#iu','$1=$2nojavascript...',$data); $data=preg_replace('#([a-z]*)[\x00-\x20]*=([\'"]*)[\x00-\x20]*v[\x00-\x20]*b[\x00-\x20]*s[\x00-\x20]*c[\x00-\x20]*r[\x00-\x20]*i[\x00-\x20]*p[\x00-\x20]*t[\x00-\x20]*:#iu','$1=$2novbscript...',$data); $data=preg_replace('#([a-z]*)[\x00-\x20]*=([\'"]*)[\x00-\x20]*-moz-binding[\x00-\x20]*:#u','$1=$2nomozbinding...',$data); // Only works in IE:  $data=preg_replace('#(<[^>]+?)style[\x00-\x20]*=[\x00-\x20]*[`\'"]*.*?expression[\x00-\x20]*\([^>]*+>#i','$1>',$data); $data=preg_replace('#(<[^>]+?)style[\x00-\x20]*=[\x00-\x20]*[`\'"]*.*?behaviour[\x00-\x20]*\([^>]*+>#i','$1>',$data); $data=preg_replace('#(<[^>]+?)style[\x00-\x20]*=[\x00-\x20]*[`\'"]*.*?s[\x00-\x20]*c[\x00-\x20]*r[\x00-\x20]*i[\x00-\x20]*p[\x00-\x20]*t[\x00-\x20]*:*[^>]*+>#iu','$1>',$data); // Remove namespaced elements (we do not need them) $data=preg_replace('#
 ]*+>#i','',$data); do{// Remove really unwanted tags $old_data=$data; $data=preg_replace('#
 ]*+>#i','',$data); }while($old_data!==$data); // we are done... return $data;}

Method 3:

<? Php // php common filtering for Injection Prevention and XSS attacks. // by qq: 831937 $ _ GET & SafeFilter ($ _ GET); $ _ POST & SafeFilter ($ _ POST ); $ _ COOKIE & SafeFilter ($ _ COOKIE); function SafeFilter (& $ arr) {$ ra = Array ('/([\ x00-\ x08, \ x0b-\ x0c, \ x0e-\ x19])/','/script/','/javascript/','/vbscript/','/expression /', '/applet/', '/meta/', '/xml/', '/blink/', '/link/', '/style /', '/embed/', '/object/', '/frame/', '/layer/', '/title/', '/bgsound /', '/base/', '/onload /','/ Onunload/','/onchange/','/onsubmit/','/onreset/','/onselect/','/onblur/','/onfocus /', '/onabort/', '/onkeydown/', '/onkeypress/', '/onkeyup/', '/onclick/', '/ondblclick /', '/onmousedown/', '/onmousemove/', '/onmouseout/', '/onmouseover/', '/onmouseup/', '/onunload /'); if (is_array ($ arr) {foreach ($ arr as $ key => $ value) {if (! Is_array ($ value) {if (! Get_magic_quotes_gpc () // do not use addslashes () for characters escaped by magic_quotes_gpc to avoid double escaping. {$ Value = addslashes ($ value); // single quotation marks ('), double quotation marks ("), backslash (), and NUL (NULL character) add backslash escape} $ value = preg_replace ($ ra, '', $ value); // delete non-printable characters, roughly filter xss suspicious strings $ arr [$ key] = htmlentities (strip_tags ($ value )); // remove HTML and PHP tags and convert them to HTML entities} else {SafeFilter ($ arr [$ key]) ;}}}?>
Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.