Yii framework prevents SQL injection, xss attacks and csrf attacks, yiixss

Yii framework prevents SQL injection, xss attacks and csrf attacks, yiixss

This article describes how the Yii framework prevents SQL injection, xss attacks, and csrf attacks. We will share this with you for your reference. The details are as follows:

Common PHP methods include:

/* SQL Injection prevention, xss attack (1) */function actionClean ($ str) {$ str = trim ($ str); $ str = strip_tags ($ str ); $ str = stripslashes ($ str); $ str = addslashes ($ str); $ str = rawurldecode ($ str); $ str = quotemeta ($ str ); $ str = htmlspecialchars ($ str); // remove special characters $ str = preg_replace ("// \\/ | \~ | \! | \@ | \# | \\$ | \% | \^|\& | \* | \ (| \) | \_| \+ | \{|\}|\:|\<|\>| \? | \ [| \] | \, | \. | \/| \; | \ '| \-| \ = | \ |/",", $ Str ); $ str = preg_replace ("// \ s/", "", $ str); // remove spaces, line breaks, and tabs return $ str;} // prevents SQL injection. Xss attack (1) public function actionFilterArr ($ arr) {if (is_array ($ arr) {foreach ($ arr as $ k => $ v) {$ arr [$ k] = $ this-> actionFilterWords ($ v) ;}} else {$ arr = $ this-> actionFilterWords ($ arr );} return $ arr;} // prevent xss attacks public function actionFilterWords ($ str) {$ farr = array ("/<(\\/?) (Script | I? Frame | style | html | body | title | link | meta | object | \\? | \ %) ([^>] *?)> /IsU ","/(<[^>] *) on [a-zA-Z] + \ s * = ([^>] *>)/isU ", "/select | insert | update | delete | drop | \ '| \/\ * | \ + | \-| \" | \. \. \/| \. \/| union | into | load_file | outfile | dump/is "); $ str = preg_replace ($ farr,'', $ str); return $ str ;} // prevents SQL injection and xss attacks (2) public function post_check ($ post) {if (! Get_magic_quotes_gpc () {foreach ($ post as $ key => $ val) {$ post [$ key] = addslashes ($ val );}} foreach ($ post as $ key => $ val) {// filter "_" out $ post [$ key] = str_replace ("_","\_", $ val); // filter out $ post [$ key] = str_replace ("%", "\ %", $ val ); // SQL injection $ post [$ key] = nl2br ($ val); // convert html $ post [$ key] = htmlspecialchars ($ val ); // xss attack} return $ post ;}

Call:

// Prevent SQL $ post = $ this-> post_check ($ _ POST); // var_dump ($ post); die; $ u_name = trim ($ post ['U _ name']); $ pwd = trim ($ post ['pwd']); if (empty ($ u_name) | empty ($ pwd) {exit ('field cannot be blank ');} $ u_name = $ this-> actionFilterArr ($ u_name ); $ pwd = $ this-> actionFilterArr ($ pwd); // prevents SQL injection and xss attacks $ u_name = $ this-> actionClean (Yii :: $ app-> request-> post ('U _ name'); $ pwd = $ this-> actionClean (Yii :: $ app-> request-> post ('pwd'); $ email = $ this-> actionClean (Yi I: $ app-> request-> post ('email '); // prevents csrf attacks $ session = Yii ::$ app-> session; $ csrf_token = md5 (uniqid (rand (), TRUE); $ session-> set ('Token', $ csrf_token); $ session-> set ('Token ', time (); // receives data if ($ _ POST) {if (empty ($ session-> get ('Token ')) & $ session-> get ('Token ')! = Yii: $ app-> request-> post ('Token') & (time ()-$ session-> get ('token _ Time')> 30) {exit ('csrf attack');} // prevents SQL .....

(It must be placed out of receiving data)

Note:

Form submission value. To prevent csrf attacks, add:

// Disable csrfpiblic $ enableCsrfValidation = false;