MySql与php防注入及SQL语句安全检测,代码直接加到SQL初始化的地方。最模板发现多个系统都用此代码,特此摘来收藏!
1 function CheckSql($db_string,$querytype='select')
2 {
3 global $cfg_cookie_encode;
4 $clean = '';
5 $error='';
6 $old_pos = 0;
7 $pos = -1;
8 $log_file = DEDEINC.'/../data/'.md5($cfg_cookie_encode).'_safe.txt';
9 $userIP = GetIP();
10 $getUrl = GetCurUrl();
11
12 //如果是普通查询语句,直接过滤一些特殊语法
13 if($querytype=='select')
14 {
15 $notallow1 = "[^0-9a-z@\._-]{1,}(union|sleep|benchmark|load_file|outfile)[^0-9a-z@\.-]{1,}";
16
17 //$notallow2 = "--|/\*";
18 if(eregi($notallow1,$db_string))
19 {
20 fputs(fopen($log_file,'a+'),"$userIP||$getUrl||$db_string||SelectBreak\r\n");
21 exit("<font size='5' color='red'>Safe Alert: Request Error step 1 !</font>");
22 }
23 }
24
25 //完整的SQL检查
26 while (true)
27 {
28 $pos = strpos($db_string, '\'', $pos + 1);
29 if ($pos === false)
30 {
31 break;
32 }
33 $clean .= substr($db_string, $old_pos, $pos - $old_pos);
34 while (true)
35 {
36 $pos1 = strpos($db_string, '\'', $pos + 1);
37 $pos2 = strpos($db_string, '\\', $pos + 1);
38 if ($pos1 === false)
39 {
40 break;
41 }
42 elseif ($pos2 == false || $pos2 > $pos1)
43 {
44 $pos = $pos1;
45 break;
46 }
47 $pos = $pos2 + 1;
48 }
49 $clean .= '$s$';
50 $old_pos = $pos + 1;
51 }
52 $clean .= substr($db_string, $old_pos);
53 $clean = trim(strtolower(preg_replace(array('~\s+~s' ), array(' '), $clean)));
54
55 //老版本的Mysql并不支持union,常用的程序里也不使用union,但是一些黑客使用它,所以检查它
56 if (strpos($clean, 'union') !== false && preg_match('~(^|[^a-z])union($|[^[a-z])~s', $clean) != 0)
57 {
58 $fail = true;
59 $error="union detect";
60 }
61
62 //发布版本的程序可能比较少包括--,#这样的注释,但是黑客经常使用它们
63 elseif (strpos($clean, '/*') > 2 || strpos($clean, '--') !== false || strpos($clean, '#') !== false)
64 {
65 $fail = true;
66 $error="comment detect";
67 }
68
69 //这些函数不会被使用,但是黑客会用它来操作文件,down掉数据库
70 elseif (strpos($clean, 'sleep') !== false && preg_match('~(^|[^a-z])sleep($|[^[a-z])~s', $clean) != 0)
71 {
72 $fail = true;
73 $error="slown down detect";
74 }
75 elseif (strpos($clean, 'benchmark') !== false && preg_match('~(^|[^a-z])benchmark($|[^[a-z])~s', $clean) != 0)
76 {
77 $fail = true;
78 $error="slown down detect";
79 }
80 elseif (strpos($clean, 'load_file') !== false && preg_match('~(^|[^a-z])load_file($|[^[a-z])~s', $clean) != 0)
81 {
82 $fail = true;
83 $error="file fun detect";
84 }
85 elseif (strpos($clean, 'into outfile') !== false && preg_match('~(^|[^a-z])into\s+outfile($|[^[a-z])~s', $clean) != 0)
86 {
87 $fail = true;
88 $error="file fun detect";
89 }
90
91 //老版本的MYSQL不支持子查询,我们的程序里可能也用得少,但是黑客可以使用它来查询数据库敏感信息
92 elseif (preg_match('~\([^)]*?select~s', $clean) != 0)
93 {
94 $fail = true;
95 $error="sub select detect";
96 }
97 if (!empty($fail))
98 {
99 fputs(fopen($log_file,'a+'),"$userIP||$getUrl||$db_string||$error\r\n");
100 exit("<font size='5' color='red'>Safe Alert: Request Error step 2!</font>");
101 }
102 else
103 {
104 return $db_string;
105 }
106 } (责任编辑:最模板) |