最近由於自身需求,整理了一份php防注入的代碼,分享出來,歡迎指正。
1.不希望執行包括system()等在那的能夠執行命令的php函數,或者能夠查看php信息的 phpinfo()等函數,那么我們就可以禁止它們: disable_functions = system,passthru,exec,shell_exec,popen,phpinfo 2. 打開magic_quotes_gpc來防止SQL注入(php5.4之后已移除該函數) php.ini中有一個設置: magic_quotes_gpc = Off 這個默認是關閉的,如果它打開后將自動把用戶提交對sql的查詢進行轉換, 比如把 ' 轉為 \'等,這對防止sql注射有重大作用。所以我們推薦設置為: magic_quotes_gpc = On 3.一般服務器建議禁止錯誤提示(php.ini):display_errors = Off 4.建議在關閉display_errors后能夠把錯誤信息記錄下來,便於查找服務器運行的原因: log_errors = On 同時也要設置錯誤日志存放的目錄,建議根apache的日志存在一起: error_log = usr/local/apache2/logs/php_error.log
在網站的入口文件添加一下代碼(一般是index.php,這個看自身需求絕對放在那里),我將這段代碼放在我的項目入口文件里面:
if (ini_get('magic_quotes_gpc')) {
function stripslashesRecursive(array $array)
{
foreach ($array as $k => $v) {
if (is_string($v)) {
$array[$k] = stripslashes(trim($v));
} else if (is_array($v)) {
$array[$k] = stripslashesRecursive($v);
}
}
return $array;
}
if($_GET)$_GET = stripslashesRecursive($_GET);
if($_POST)$_POST = stripslashesRecursive($_POST);
}
function array_safe_replace(array $array) {
foreach ($array as $k => $v) {
if (is_string($v)) {
$string = $v;
$string = str_replace('%20','',$string);
$string = str_replace('%27','',$string);
$string = str_replace('%2527','',$string);
$string = str_replace('*','',$string);
$string = str_replace('"','"',$string);
$string = str_replace("'",'',$string);
$string = str_replace('"','',$string);
$string = str_replace(';','',$string);
$string = str_replace('<','<',$string);
$string = str_replace('>','>',$string);
$string = str_replace("{",'',$string);
$string = str_replace('}','',$string);
$string = str_replace('\\','',$string);
$string = str_replace('script','',$string);
$string = str_replace('insert','',$string);
$string = str_replace('update','',$string);
$string = str_replace('delete','',$string);
$string = str_replace('select','',$string);
$string = str_replace('drop','',$string);
$string = str_replace('eval','',$string);
//防sql注入
$string=preg_replace("/insert/i", "",$string);
$string=preg_replace("/update/i", "",$string);
$string=preg_replace("/delete/i", "",$string);
$string=preg_replace("/select/i", "",$string);
$string=preg_replace("/drop/i", "",$string);
$string=preg_replace("/load_file/i", "",$string);
$string=preg_replace("/outfile/i", "",$string);
$string=preg_replace("/into/i", "",$string);
$string=preg_replace("/exec/i", "",$string);
$string=preg_replace("/caipiao_/i", "",$string);
$string=preg_replace("/union/i", "",$string);
$string=preg_replace("/(add|change)\s+column/i", "",$string);
$string=preg_replace("/(select|update|delete)\s+\S*\s+from/i", "",$string);
$string=preg_replace("/insert\s+into/i", "",$string);
$string=preg_replace("/show\s+(databases|tables|index|columns)/i", "",$string);
$string=preg_replace("/alter\s+(database|table)/i", "",$string);
//防js注入
$string=preg_replace("/(eval|alert|prompt|msgbox)\s*\(.*\)/i", "",$string);
$string=preg_replace("/script/i", "",$string);
$string=preg_replace("/\w+\s*=\s*(\"|')?(java|vb)script:\S*(\"|')?/i", "",$string);
$array[$k] = $string;
} else if (is_array($v)) {
$array[$k] = array_safe_replace($v);
}
}
return $array;
}
//返回過濾后的請求數據
if($_GET)$_GET = array_safe_replace($_GET);
if($_POST)$_POST = array_safe_replace($_POST);