最近用OpenCart做的网站居然被无聊的人攻击了,郁闷网上说这代码很牛,可以防止一切代码类的攻击,不知道有没有用function gjj($str)
{
$farr = array(
'/\\s+/&quo
最近用OpenCart做的网站居然被无聊的人攻击了,郁闷
网上说这代码很牛,可以防止一切代码类的攻击,不知道有没有用
function gjj($str) { $farr = array( "/\\s+/", "/<(\\/?)(script|i?frame|style|html|body|title|link|meta|object|\\?|\\%)([^>]*?)>/isU", "/(<[^>]*)on[a-zA-Z]+\s*=([^>]*>)/isU", ); $str = preg_replace($farr,"",$str); return addslashes($str); } function hg_input_bb($array) { if (is_array($array)) { foreach($array AS $k => $v) { $array[$k] = hg_input_bb($v); } } else { $array = gjj($array); } return $array; } $_REQUEST = hg_input_bb($_REQUEST); $_GET = hg_input_bb($_GET); $_POST = hg_input_bb($_POST);
还有这个从360提供的PHP防SQL注入代码改成的一个类,
<?php class sqlsafe { private $getfilter = "'|(and|or)\\b.+?(>|<|=|in|like)|\\/\\*.+?\\*\\/|<\\s*script\\b|\\bEXEC\\b|UNION.+?SELECT|UPDATE.+?SET|INSERT\\s+INTO.+?VALUES|(SELECT|DELETE).+?FROM|(CREATE|ALTER|DROP|TRUNCATE)\\s+(TABLE|DATABASE)"; private $postfilter = "\\b(and|or)\\b.{1,6}?(=|>|<|\\bin\\b|\\blike\\b)|\\/\\*.+?\\*\\/|<\\s*script\\b|\\bEXEC\\b|UNION.+?SELECT|UPDATE.+?SET|INSERT\\s+INTO.+?VALUES|(SELECT|DELETE).+?FROM|(CREATE|ALTER|DROP|TRUNCATE)\\s+(TABLE|DATABASE)"; private $cookiefilter = "\\b(and|or)\\b.{1,6}?(=|>|<|\\bin\\b|\\blike\\b)|\\/\\*.+?\\*\\/|<\\s*script\\b|\\bEXEC\\b|UNION.+?SELECT|UPDATE.+?SET|INSERT\\s+INTO.+?VALUES|(SELECT|DELETE).+?FROM|(CREATE|ALTER|DROP|TRUNCATE)\\s+(TABLE|DATABASE)"; /** * 构造函数 */ public function __construct() { foreach($_GET as $key=>$value){$this->stopattack($key,$value,$this->getfilter);} foreach($_POST as $key=>$value){$this->stopattack($key,$value,$this->postfilter);} foreach($_COOKIE as $key=>$value){$this->stopattack($key,$value,$this->cookiefilter);} } /** * 参数检查并写日志 */ public function stopattack($StrFiltKey, $StrFiltValue, $ArrFiltReq){ if(is_array($StrFiltValue))$StrFiltValue = implode($StrFiltValue); if (preg_match("/".$ArrFiltReq."/is",$StrFiltValue) == 1){ $this->writeslog($_SERVER["REMOTE_ADDR"]." ".strftime("%Y-%m-%d %H:%M:%S")." ".$_SERVER["PHP_SELF"]." ".$_SERVER["REQUEST_METHOD"]." ".$StrFiltKey." ".$StrFiltValue); showmsg('您提交的参数非法,系统已记录您的本次操作!','',0,1); } } /** * SQL注入日志 */ public function writeslog($log){ $log_path = CACHE_PATH.'logs'.DIRECTORY_SEPARATOR.'sql_log.txt'; $ts = fopen($log_path,"a+"); fputs($ts,$log."\r\n"); fclose($ts); } } ?>
评论列表
发表评论
热评文章
相关阅读