This article mainly introduces the Yii Framework to prevent SQL injection, xss attacks and csrf attacks, and analyzes the Yii Framework for SQL injection in the form of examples, xss attack and csrf attack prevention methods and related function call precautions. For more information about how to use Yii Framework to prevent SQL injection, xss attacks, and csrf attacks, see the following example. We will share this with you for your reference. The details are as follows:
Common PHP methods include:
/* SQL Injection Prevention, xss attack (1) */function actionClean ($ str) {$ str = trim ($ str); $ str = strip_tags ($ str ); $ str = stripslashes ($ str); $ str = addslashes ($ str); $ str = rawurldecode ($ str); $ str = quotemeta ($ str ); $ str = htmlspecialchars ($ str); // remove special characters $ str = preg_replace ("// \\/ | \~ | \! | \@ | \# | \\$ | \% | \^|\& | \* | \ (| \) | \_| \+ | \{|\}|\:|\<|\>| \? | \ [| \] | \, | \. | \/| \; | \ '| \-| \ = | \ |/",", $ Str ); $ str = preg_replace ("// \ s/", "", $ str); // remove spaces, line breaks, and tabs return $ str;} // prevents SQL injection. Xss attack (1) public function actionFilterArr ($ arr) {if (is_array ($ arr) {foreach ($ arr as $ k => $ v) {$ arr [$ k] = $ this-> actionFilterWords ($ v) ;}} else {$ arr = $ this-> actionFilterWords ($ arr );} return $ arr;} // prevent xss attacks public function actionFilterWords ($ str) {$ farr = array ("/<(\\/?) (Script | I? Frame | style | html | body | title | link | meta | object | \\? | \ %) ([^>] *?)> /IsU ","/(<[^>] *) on [a-zA-Z] + \ s * = ([^>] *>)/isU ", "/select | insert | update | delete | drop | \ '| \/\ * | \ + | \-| \" | \. \. \/| \. \/| union | into | load_file | outfile | dump/is "); $ str = preg_replace ($ farr,'', $ str); return $ str ;} // prevents SQL injection and xss attacks (2) public function post_check ($ post) {if (! Get_magic_quotes_gpc () {foreach ($ post as $ key => $ val) {$ post [$ key] = addslashes ($ val );}} foreach ($ post as $ key => $ val) {// filter "_" out $ post [$ key] = str_replace ("_","\_", $ val); // filter out $ post [$ key] = str_replace ("%", "\ %", $ val ); // SQL injection $ post [$ key] = nl2br ($ val); // Convert html $ post [$ key] = htmlspecialchars ($ val ); // xss attack} return $ post ;}
Call:
// Prevent SQL $ post = $ this-> post_check ($ _ POST); // var_dump ($ post); die; $ u_name = trim ($ post ['U _ name']); $ pwd = trim ($ post ['pwd']); if (empty ($ u_name) | empty ($ pwd) {exit ('field cannot be blank ');} $ u_name = $ this-> actionFilterArr ($ u_name ); $ pwd = $ this-> actionFilterArr ($ pwd); // prevents SQL injection and xss attacks $ u_name = $ this-> actionClean (Yii :: $ app-> request-> post ('U _ name'); $ pwd = $ this-> actionClean (Yii :: $ app-> request-> post ('pwd'); $ email = $ this-> actionClean (Yi I: $ app-> request-> post ('email '); // prevents csrf attacks $ session = Yii ::$ app-> session; $ csrf_token = md5 (uniqid (rand (), TRUE); $ session-> set ('token', $ csrf_token); $ session-> set ('token ', time (); // receives data if ($ _ POST) {if (empty ($ session-> get ('token ')) & $ session-> get ('token ')! = Yii: $ app-> request-> post ('token') & (time ()-$ session-> get ('token _ time')> 30) {exit ('csrf attack');} // prevents SQL .....
(It must be placed out of receiving data)
Note:
Form submission value. to prevent csrf attacks, add:
// Disable csrfpiblic $ enableCsrfValidation = false;