程序可能会引起其他程序的正常使用,正在努力改进!
欢迎批评指正
<?php
/* PHP通用防注射跨站V1.1
##################联系地址##################
http://hi.baidu.com/menzhi007
##################使用说明##################
在您的页面顶部添加: require("sql_injection.php");
即可实现通用防止SQL注入,以及XSS跨站漏洞。
##################缺陷以及改进##################
程序还有很多缺陷,希望大家能帮助改进
##################参考以及鸣谢##################
NeeaoASP SQL通用防注入程序 V3.0
部分代码参考自Discuz!
*/
error_reporting(0);
define(MAGIC_QUOTES_GPC, get_magic_quotes_gpc());
if(PHP_VERSION < 4.1.0) {
$_GET = &$HTTP_GET_VARS;
$_POST = &$HTTP_POST_VARS;
$_COOKIE = &$HTTP_COOKIE_VARS;
$_SERVER = &$HTTP_SERVER_VARS;
$_ENV = &$HTTP_ENV_VARS;
$_FILES = &$HTTP_POST_FILES;
}
foreach(array(_GET, _POST, _COOKIE,_REQUEST) as $_request) {
foreach($$_request as $_key => $_value) {
$sql_injection="|;|and|(|)|exec|insert|select|delete|update|count|%|chr|mid|master|truncate|or|char|declare|benchmark|script|javascript|<|>";
$sql_injection = explode("|",$sql_injection);
preg_match ("/[^0-9]*/", $_key)?$_key:$_key=;
daddslashes($_key);
daddslashes($_value);
$_value = strtolower($_value);
foreach($sql_injection as $kill_key => $kill_value) {
if(substr_count($_value,$kill_value)>0) {
echo "<script>alert(Error,Do not enter illegal characters: ".$kill_value."! Please Content menzhi007@163.com!);history.back();</script>";
unset($_request, $_key, $_value);
exit();
}
}
}
}
function daddslashes($string) {
if(!MAGIC_QUOTES_GPC) {
if(is_array($string)) {
foreach($string as $key => $val) {
$string[$key] = daddslashes($val);
}
} else {
$string = addslashes($string);
}
}
$string = preg_replace(/&((#(d{3,5}|x[a-fA-F0-9]{4}));)/, &\1,str_replace(array(&, ", <, >), array(&, ", <, >), $string));
return $string;
}
?>