码迷,mamicode.com
首页 > 数据库 > 详细

PHP_解析xss攻击、sql注入

时间:2015-09-14 19:30:37      阅读:283      评论:0      收藏:0      [点我收藏+]

标签:

/**
 * PHP解决XSS(跨站脚本攻击)的调用函数
 * PHP跨站脚本漏洞补丁,去除XSS(跨站脚本攻击)的函数,把以下代码保存在function.php文件中,在需要防御的页面中include
 * Enter description here ...
 * @param unknown_type $val
 */
function RemoveXSS($val) {
   $val = preg_replace(/([\x00-\x08,\x0b-\x0c,\x0e-\x19])/, ‘‘, $val);  
   $search = abcdefghijklmnopqrstuvwxyz; 
   $search .= ABCDEFGHIJKLMNOPQRSTUVWXYZ;  
   $search .= 1234567890!@#$%^&*(); 
   $search .= ~`";:?+/={}[]-_|\‘\\; 
   for ($i = 0; $i < strlen($search); $i++) { 
      // ;? matches the ;, which is optional 
      // 0{0,7} matches any padded zeros, which are optional and go up to 8 chars 
 
      // @ @ search for the hex values 
      $val = preg_replace(/(&#[xX]0{0,8}.dechex(ord($search[$i])).;?)/i, $search[$i], $val); // with a ; 
      // @ @ 0{0,7} matches ‘0‘ zero to seven times  
      $val = preg_replace(/(&#0{0,8}.ord($search[$i]).;?)/, $search[$i], $val); // with a ; 
   } 
 
   // now the only remaining whitespace attacks are \t, \n, and \r 
   $ra1 = Array(javascript, vbscript, expression, applet, meta, xml, blink, link, style, script, embed, object, iframe, frame, frameset, ilayer, layer, bgsound, title, base); 
   $ra2 = Array(onabort, onactivate, onafterprint, onafterupdate, onbeforeactivate, onbeforecopy, onbeforecut, onbeforedeactivate, onbeforeeditfocus, onbeforepaste, onbeforeprint, onbeforeunload, onbeforeupdate, onblur, onbounce, oncellchange, onchange, onclick, oncontextmenu, oncontrolselect, oncopy, oncut, ondataavailable, ondatasetchanged, ondatasetcomplete, ondblclick, ondeactivate, ondrag, ondragend, ondragenter, ondragleave, ondragover, ondragstart, ondrop, onerror, onerrorupdate, onfilterchange, onfinish, onfocus, onfocusin, onfocusout, onhelp, onkeydown, onkeypress, onkeyup, onlayoutcomplete, onload, onlosecapture, onmousedown, onmouseenter, onmouseleave, onmousemove, onmouseout, onmouseover, onmouseup, onmousewheel, onmove, onmoveend, onmovestart, onpaste, onpropertychange, onreadystatechange, onreset, onresize, onresizeend, onresizestart, onrowenter, onrowexit, onrowsdelete, onrowsinserted, onscroll, onselect, onselectionchange, onselectstart, onstart, onstop, onsubmit, onunload); 
   $ra = array_merge($ra1, $ra2); 
 
   $found = true; // keep replacing as long as the previous round replaced something 
   while ($found == true) { 
      $val_before = $val; 
      for ($i = 0; $i < sizeof($ra); $i++) { 
         $pattern = /; 
         for ($j = 0; $j < strlen($ra[$i]); $j++) { 
            if ($j > 0) { 
               $pattern .= (;  
               $pattern .= (&#[xX]0{0,8}([9ab]);); 
               $pattern .= |;  
               $pattern .= |(&#0{0,8}([9|10|13]);); 
               $pattern .= )*; 
            } 
            $pattern .= $ra[$i][$j]; 
         } 
         $pattern .= /i;  
         $replacement = substr($ra[$i], 0, 2).<x>.substr($ra[$i], 2); // add in <> to nerf the tag  
         $val = preg_replace($pattern, $replacement, $val); // filter out the hex tags  
         if ($val_before == $val) {  
            // no replacements were made, so exit the loop  
            $found = false;  
         }  
      }  
   }  
   return $val;  
}

心晴 2015/5/18 17:56:16
/**
*SQL防注入
**/
function check_input($value)

{

// Stripslashes

if (get_magic_quotes_gpc())

{

$value = stripslashes($value);

}

// Quote if not a number

if (!is_numeric($value))

{

$value =  mysql_real_escape_string($value);

}

return $value;

}

 

PHP_解析xss攻击、sql注入

标签:

原文地址:http://www.cnblogs.com/ingstyle/p/4512576.html

(0)
(0)
   
举报
评论 一句话评论(0
登录后才能评论!
© 2014 mamicode.com 版权所有  联系我们:gaon5@hotmail.com
迷上了代码!