如何防止xss和sql注入攻击 sql注入与xss攻击的防御方法

主机教程 建站分享 2年前 (2022-11-19) 210次浏览

文章摘要:如何防止xss和sql注入攻击 sql注入与xss攻击的防御方法

防止xss和sql注入攻击的通用方法: php防sql注入和xss攻击通用过滤如下: function str […]

防止xss和sql注入攻击的通用方法:

php防sql注入和xss攻击通用过滤如下:

function string_remove_xss($html) {

preg_match_all("/<([^<]+)>/is", $html, $ms);

$searchs[] = '<';

$replaces[] = '<';

$searchs[] = '>';

$replaces[] = '>';

if ($ms[1]) {

$allowtags = 'img|a|font|div|table|tbody|caption|tr|td|th|br|p|b|strong|i|u|em|span|ol|ul|li|blockquote';

$ms[1] = array_unique($ms[1]);

foreach ($ms[1] as $value) {

$searchs[] = "<".$value.">";

$value = str_replace('&', '_uch_tmp_str_', $value);

$value = string_htmlspecialchars($value);

$value = str_replace('_uch_tmp_str_', '&', $value);

$value = str_replace(array('\', '/*'), array('.', '/.'), $value);

$skipkeys = array('onabort','onactivate','onafterprint','onafterupdate','onbeforeactivate','onbeforecopy','onbeforecut','onbeforedeactivate',

'onbeforeeditfocus','onbeforepaste','onbeforeprint','onbeforeunload','onbeforeupdate','onblur','onbounce','oncellchange','onchange',

'onclick','oncontextmenu','oncontrolselect','oncopy','oncut','ondataavailable','ondatasetchanged','ondatasetcomplete','ondblclick',

'ondeactivate','ondrag','ondragend','ondragenter','ondragleave','ondragover','ondragstart','ondrop','onerror','onerrorupdate',

'onfilterchange','onfinish','onfocus','onfocusin','onfocusout','onhelp','onkeydown','onkeypress','onkeyup','onlayoutcomplete',

'onload','onlosecapture','onmousedown','onmouseenter','onmouseleave','onmousemove','onmouseout','onmouseover','onmouseup','onmousewheel',

'onmove','onmoveend','onmovestart','onpaste','onpropertychange','onreadystatechange','onreset','onresize','onresizeend','onresizestart',

'onrowenter','onrowexit','onrowsdelete','onrowsinserted','onscroll','onselect','onselectionchange','onselectstart','onstart','onstop',

'onsubmit','onunload','javascript','script','eval','behaviour','expression','style','class');

$skipstr = implode('|', $skipkeys);

$value = preg_replace(array("/($skipstr)/i"), '.', $value);

if (!preg_match("/^[/|s]?($allowtags)(s+|$)/is", $value)) {

$value = '';

}

$replaces[] = empty($value) ? '' : "<" . str_replace('"', '"', $value) . ">";

}

}

$html = str_replace($searchs, $replaces, $html);

return $html;

}

//php防sql注入和xss攻击通用过滤

function string_htmlspecialchars($string, $flags = null) {

if (is_array($string)) {

foreach ($string as $key => $val) {

$string[$key] = string_htmlspecialchars($val, $flags);

}

} else {

if ($flags === null) {

$string = str_replace(array('&', '"', '<', '>'), array('&', '"', '<', '>'), $string);

if (strpos($string, '&#') !== false) {

$string = preg_replace('/&((#(d{3,5}|x[a-fA-F0-9]{4}));)/', '&\1', $string);

}

} else {

if (PHP_VERSION < '5.4.0') {

$string = htmlspecialchars($string, $flags);

} else {

if (!defined('CHARSET') || (strtolower(CHARSET) == 'utf-8')) {

$charset = 'UTF-8';

} else {

$charset = 'ISO-8859-1';

}

$string = htmlspecialchars($string, $flags, $charset);

}

}

}

return $string;

}


声明:
若非注明,本站文章源于互联网收集整理和网友分享发布,如有侵权,请联系站长处理。
文章名称:如何防止xss和sql注入攻击 sql注入与xss攻击的防御方法
文章链接:http://www.7966.org/post/16774.html
转载请注明出处

喜欢 (0)