1 設定指令碼可以訪問的目錄,一定限度上限制了PHP木馬,比如
open_basedir=d:/usr/www
一般設定將php能開啟的檔案設定在指定的分類樹中.
2 設定禁用的函數
disable_functions,在php.ini的safe_mode=off下,可以用這個。
在php.ini中,比如
disable_functions = phpinfo,get_cfg_var
又或者
disable_functions= passthru,exec,shell_exec,system,fopen,mkdir,rmdir,chmod,unlink,dir ,fopen,fread,fclose,fwrite,file_exists ,closedir,is_dir,readdir.opendir ,fileperms.copy,unlink,delfile
但有的檔案函數就用不了拉.
3 開啟magic_quotes_gpc
預設是關閉的,開啟的話,會自動轉義.
如果關閉的話,就用addslashes()咯
4 網上很多防止注入的程式,比如
<?php
/*
PHP整站防注程式,需要在公用檔案中reqire_once本檔案
by 風塵浪子 QQ:156544632 http://156544632.cn
*/
// 判斷 magic_quotes_gpc 狀態
if (@get_magic_quotes_gpc()) {
$_GET = sec($_GET);
$_POST = sec($_POST);
$_COOKIE = sec($_COOKIE);
$_FILES = sec($_FILES);
}
$_SERVER = sec($_SERVER);
function sec(&$array) {
//如果是數組
if (is_array($array)) {
//遍曆數組
foreach ($array as $k => $v) {
//遞迴調用
$array[$k] = sec($v);
}
} else if (is_string($array)) {
//stripslashes函數來處理
$array = addslashes($array);
}else if (is_numeric($array)) {
//intval函數來處理
$array = intval($array);
}
return $array;
}
function num_check($id) {
if (!$id) {die('參數不可為空!'); } // 是否為空白判斷
elseif (inject_check($id)) { die('非法參數!'); } // 注射判斷
elseif (!is_numeric($id)) { die('非法參數!'); } // 數字判斷
$id = intval($id); // 整型化
return $id;
}
function str_check( $str) {
$str= htmlspecialchars($str); //轉換Html
return $str;
}
function search_check( $str) {
$str = str_replace("_", "\_", $str); // 把 '_'過濾掉
$str = str_replace("%", "\%", $str); // 把 '%'過濾掉
$str= htmlspecialchars($str); //轉換Html
return $str;
}
function post_check( $str,$min,$max) {
if(isset($min)&&strlen($str) < $min){
die("最少$min位元組");
}elseif(isset($max)&&strlen($str) >$max){
die("最多$max位元組");
}
return stripslashes_array($str);
}
function inject_check($sql_str) {
return eregi('select|insert|update|delete|\'|\/\*|\*|\.\.\/|\.\/|union|into|load_file|outfile', $sql_str); // 進行過濾
}
?>
4 防止遠程檔案包含
關閉allow_url_fopen
5 防止把表單儲存下來再提交
if($_SERVER['REQUEST_METHOD'] == 'POST' && (empty($_SERVER['HTTP_REFERER']) || preg_replace("/https?:\/\/([^\:\/]+).*/i", "\\1", $_SERVER['HTTP_REFERER']) !== preg_replace("/([^\:]+).*/", "\\1", $_SERVER['HTTP_HOST']))) {
die('來路不正確');
}
6 對比如使用者發表評論後的東西回顯到螢幕時,注意把html過濾掉
// 清除HTML代碼
function html_clean($content) {
$content = htmlspecialchars($content);
$content = str_replace("\n", "<br />", $content);
$content = str_replace(" ", " ", $content);
$content = str_replace("\t", " ", $content);
$content = preg_replace("/\[quote=(.*?)\]\s*(.+?)\s*\[\/quote\]/is", "<div style=\"font-weight: bold\">引用 \\1 的評論:</div><div class=\"quote\">\\2</div>", $content);
return $content;
}
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
