防止sql注入與xss攻擊的方法
防sql注入:
利用函數:mysql_real_escape_string();
用法實例:
$sql = "select count(*) as ctr from users where username ='".mysql_real_escape_string($username)
."' and password='". mysql_real_escape_string($pw)."' limit 1";
打開magic_quotes_gpc來防止SQL注入
php.ini中有一個設置:magic_quotes_gpc = Off
這個默認是關閉的,如果它打開后將自動把用戶提交對sql的查詢進行轉換,
比如把 ' 轉為 \'等,對於防止sql注射有重大作用。
如果magic_quotes_gpc=Off,則使用addslashes()函數
防止XSS攻擊
htmlspecialchar():
在使用htmlspecialchar()的時候注意第二個參數,直接用htmlspecialchar($string)的話,第二個參數默認是ENT_COMPAT,函數只是轉義雙引號,不轉義單引號。
所以使用htmlspecialchar函數時盡量加上第二個參數,htmlspecialchar($string,ENT_QUOTES) 轉化單引號和雙引號,如果不需要編譯任何的引號,則使用htmlspecialchar($string,ENT_NOQUOTES)
htmlentities:
htmlentities,在全部英文的時候htmlentities和htmlspecialchar沒有區別,都可以達到目的。但是中文情況下,htmlentities卻會轉化所有的html代碼,連同里面的它無法識別的中文符也給轉化了。
所有有打印的語句echo、print等在打印前都要使用htmlentities進行過濾,這樣可以防止xss,注意中文要寫出htmlrntities($name,ENT_NOQUOTES,gb2312)。
下面來說幾個通用過濾的方法:
//------------------------------php防注入和XSS攻擊通用過濾-----Start--------------------------------------------// function string_remove_xss($html) { preg_match_all("/\<([^\<]+)\>/is", $html, $ms); $searchs[] = '<'; $replaces[] = '<'; $searchs[] = '>'; $replaces[] = '>'; if ($ms[1]) { $allowtags = 'img|a|font|div|table|tbody|caption|tr|td|th|br|p|b|strong|i|u|em|span|ol|ul|li|blockquote'; $ms[1] = array_unique($ms[1]); foreach ($ms[1] as $value) { $searchs[] = "<".$value.">"; $value = str_replace('&', '_uch_tmp_str_', $value); $value = string_htmlspecialchars($value); $value = str_replace('_uch_tmp_str_', '&', $value); $value = str_replace(array('\\', '/*'), array('.', '/.'), $value); $skipkeys = array('onabort','onactivate','onafterprint','onafterupdate','onbeforeactivate','onbeforecopy','onbeforecut','onbeforedeactivate', 'onbeforeeditfocus','onbeforepaste','onbeforeprint','onbeforeunload','onbeforeupdate','onblur','onbounce','oncellchange','onchange', 'onclick','oncontextmenu','oncontrolselect','oncopy','oncut','ondataavailable','ondatasetchanged','ondatasetcomplete','ondblclick', 'ondeactivate','ondrag','ondragend','ondragenter','ondragleave','ondragover','ondragstart','ondrop','onerror','onerrorupdate', 'onfilterchange','onfinish','onfocus','onfocusin','onfocusout','onhelp','onkeydown','onkeypress','onkeyup','onlayoutcomplete', 'onload','onlosecapture','onmousedown','onmouseenter','onmouseleave','onmousemove','onmouseout','onmouseover','onmouseup','onmousewheel', 'onmove','onmoveend','onmovestart','onpaste','onpropertychange','onreadystatechange','onreset','onresize','onresizeend','onresizestart', 'onrowenter','onrowexit','onrowsdelete','onrowsinserted','onscroll','onselect','onselectionchange','onselectstart','onstart','onstop', 'onsubmit','onunload','javascript','script','eval','behaviour','expression','style','class'); $skipstr = implode('|', $skipkeys); $value = preg_replace(array("/($skipstr)/i"), '.', $value); if (!preg_match("/^[\/|\s]?($allowtags)(\s+|$)/is", $value)) { $value = ''; } $replaces[] = empty($value) ? '' : "<" . str_replace('"', '"', $value) . ">"; } } $html = str_replace($searchs, $replaces, $html); return $html; } //php防注入和XSS攻擊通用過濾 function string_htmlspecialchars($string, $flags = null) { if (is_array($string)) { foreach ($string as $key => $val) { $string[$key] = string_htmlspecialchars($val, $flags); } } else { if ($flags === null) { $string = str_replace(array('&', '"', '<', '>'), array('&', '"', '<', '>'), $string); if (strpos($string, '&#') !== false) { $string = preg_replace('/&((#(\d{3,5}|x[a-fA-F0-9]{4}));)/', '&\\1', $string); } } else { if (PHP_VERSION < '5.4.0') { $string = htmlspecialchars($string, $flags); } else { if (!defined('CHARSET') || (strtolower(CHARSET) == 'utf-8')) { $charset = 'UTF-8'; } else { $charset = 'ISO-8859-1'; } $string = htmlspecialchars($string, $flags, $charset); } } } return $string; } //------------------php防注入和XSS攻擊通用過濾-----End--------------------------------------------//