防⽌sql注⼊与xss攻击的⽅法
防⽌sql注⼊与xss攻击的⽅法
防sql注⼊:
利⽤函数:mysql_real_escape_string();
⽤法实例:
$sql = "select count(*) as ctr from users where username ='".mysql_real_escape_string($username)
."' and password='". mysql_real_escape_string($pw)."' limit 1";
打开magic_quotes_gpc来防⽌SQL注⼊
php.ini中有⼀个设置:magic_quotes_gpc = Off
这个默认是关闭的,如果它打开后将⾃动把⽤户提交对sql的查询进⾏转换,
⽐如把 ' 转为 \'等,对于防⽌sql注射有重⼤作⽤。
如果magic_quotes_gpc=Off,则使⽤addslashes()函数
防⽌XSS攻击
htmlspecialchar():
在使⽤htmlspecialchar()的时候注意第⼆个参数,直接⽤htmlspecialchar($string)的话,第⼆个参数默认是ENT_COMPAT,函数只是转义双引号,不转义单引号。
所以使⽤htmlspecialchar函数时尽量加上第⼆个参数,htmlspecialchar($string,ENT_QUOTES) 转化单引号和双引号,如果不需要编译任何的引号,则使⽤htmlspecialchar($string,ENT_NOQUOTES)
htmlentities:
htmlentities,在全部英⽂的时候htmlentities和htmlspecialchar没有区别,都可以达到⽬的。但是中⽂情况下,htmlentities却会转化所有的html代码,连同⾥⾯的它⽆法识别的中⽂符也给转化了。
所有有打印的语句echo、print等在打印前都要使⽤htmlentities进⾏过滤,这样可以防⽌xss,注意中⽂要写出
htmlrntities($name,ENT_NOQUOTES,gb2312)。
下⾯来说⼏个通⽤过滤的⽅法:
//------------------------------php防注⼊和XSS攻击通⽤过滤-----Start--------------------------------------------//
function string_remove_xss($html) {
preg_match_all("/\<([^\<]+)\>/is", $html, $ms);
$searchs[] = '<';
$replaces[] = '<';
$searchs[] = '>';
$replaces[] = '>';
if ($ms[1]) {
$allowtags = 'img|a|font|div|table|tbody|caption|tr|td|th|br|p|b|strong|i|u|em|span|ol|ul|li|blockquote';
$ms[1] = array_unique($ms[1]);
foreach ($ms[1] as$value) {
$searchs[] = "<".$value.">";
$value = str_replace('&', '_uch_tmp_str_', $value);
$value = string_htmlspecialchars($value);
$value = str_replace('_uch_tmp_str_', '&', $value);
$value = str_replace(array('\\', '/*'), array('.', '/.'), $value);
$skipkeys = array('onabort','onactivate','onafterprint','onafterupdate','onbeforeactivate','onbeforecopy','onbeforecut','onbeforedeactivate',
'onbeforeeditfocus','onbeforepaste','onbeforeprint','onbeforeunload','onbeforeupdate','onblur','onbounce','oncellchange','onchange',
'onclick','oncontextmenu','oncontrolselect','oncopy','oncut','ondataavailable','ondatasetchanged','ondatasetcomplete','ondblclick',
'ondeactivate','ondrag','ondragend','ondragenter','ondragleave','ondragover','ondragstart','ondrop','onerror','onerrorupdate',
'onfilterchange','onfinish','onfocus','onfocusin','onfocusout','onhelp','onkeydown','onkeypress','onkeyup','onlayoutcomplete',
'onload','onlosecapture','onmousedown','onmouseenter','onmouseleave','onmousemove','onmouseout','onmouseover','onmouseup','onmousewheel',
'onmove','onmoveend','onmovestart','onpaste','onpropertychange','onreadystatechange','onreset','onresize','onresizeend','onresizestart', 'onrowenter','onrowexit','onrowsdelete','onrowsinserted','onscroll','onselect','onselectionchange','onselectstart','onstart','onstop',
'onsubmit','onunload','javascript','script','eval','behaviour','expression','style','class');
$skipstr = implode('|', $skipkeys);
$value = preg_replace(array("/($skipstr)/i"), '.', $value);
if (!preg_match("/^[\/|\s]?($allowtags)(\s+|$)/is", $value)) {
$value = '';
}
$replaces[] = empty($value) ? '' : "<" . str_replace('"', '"', $value) . ">";
onblur和blur的区别}
}
$html = str_replace($searchs, $replaces, $html);
return$html;
}
//php防注⼊和XSS攻击通⽤过滤
function string_htmlspecialchars($string, $flags = null) {
if (is_array($string)) {
foreach ($string as$key => $val) {
$string[$key] = string_htmlspecialchars($val, $flags);
}
} else {
if ($flags === null) {
$string = str_replace(array('&', '"', '<', '>'), array('&', '"', '<', '>'), $string);
if (strpos($string, '&#') !== false) {
$string = preg_replace('/&((#(\d{3,5}|x[a-fA-F0-9]{4}));)/', '&\\1', $string);
}
} else {
if (PHP_VERSION < '5.4.0') {
$string = htmlspecialchars($string, $flags);
} else {
if (!defined('CHARSET') || (strtolower(CHARSET) == 'utf-8')) {
$charset = 'UTF-8';
} else {
$charset = 'ISO-8859-1';
}
$string = htmlspecialchars($string, $flags, $charset);
}
}
}
return$string;
}
//------------------php防注⼊和XSS攻击通⽤过滤-----End--------------------------------------------//
版权声明:本站内容均来自互联网,仅供演示用,请勿用于商业和其他非法用途。如果侵犯了您的权益请与我们联系QQ:729038198,我们将在24小时内删除。
发表评论