防止sql注入与xss攻击的方法
防sql注入:
利用函数:mysql_real_escape_string();
用法实例:
$sql = "select count(*) as ctr from users where username =‘".mysql_real_escape_string($username)
."‘ and password=‘". mysql_real_escape_string($pw)."‘ limit 1";
打开magic_quotes_gpc来防止SQL注入
php.ini中有一个设置:magic_quotes_gpc = Off
这个默认是关闭的,如果它打开后将自动把用户提交对sql的查询进行转换,
比如把 ‘ 转为 \‘等,对于防止sql注射有重大作用。
如果magic_quotes_gpc=Off,则使用addslashes()函数
防止XSS攻击
htmlspecialchar():
在使用htmlspecialchar()的时候注意第二个参数,直接用htmlspecialchar($string)的话,第二个参数默认是ENT_COMPAT,函数只是转义双引号,不转义单引号。
所以使用htmlspecialchar函数时尽量加上第二个参数,htmlspecialchar($string,ENT_QUOTES) 转化单引号和双引号,如果不需要编译任何的引号,则使用htmlspecialchar($string,ENT_NOQUOTES)
htmlentities:
htmlentities,在全部英文的时候htmlentities和htmlspecialchar没有区别,都可以达到目的。但是中文情况下,htmlentities却会转化所有的html代码,连同里面的它无法识别的中文符也给转化了。
所有有打印的语句echo、print等在打印前都要使用htmlentities进行过滤,这样可以防止xss,注意中文要写出htmlrntities($name,ENT_NOQUOTES,gb2312)。
下面来说几个通用过滤的方法:
//------------------------------php防注入和XSS攻击通用过滤-----Start--------------------------------------------// function string_remove_xss($html) { preg_match_all("/\<([^\<]+)\>/is", $html, $ms); $searchs[] = ‘<‘; $replaces[] = ‘<‘; $searchs[] = ‘>‘; $replaces[] = ‘>‘; if ($ms[1]) { $allowtags = ‘img|a|font|div|table|tbody|caption|tr|td|th|br|p|b|strong|i|u|em|span|ol|ul|li|blockquote‘; $ms[1] = array_unique($ms[1]); foreach ($ms[1] as $value) { $searchs[] = "<".$value.">"; $value = str_replace(‘&‘, ‘_uch_tmp_str_‘, $value); $value = string_htmlspecialchars($value); $value = str_replace(‘_uch_tmp_str_‘, ‘&‘, $value); $value = str_replace(array(‘\\‘, ‘/*‘), array(‘.‘, ‘/.‘), $value); $skipkeys = array(‘onabort‘,‘onactivate‘,‘onafterprint‘,‘onafterupdate‘,‘onbeforeactivate‘,‘onbeforecopy‘,‘onbeforecut‘,‘onbeforedeactivate‘, ‘onbeforeeditfocus‘,‘onbeforepaste‘,‘onbeforeprint‘,‘onbeforeunload‘,‘onbeforeupdate‘,‘onblur‘,‘onbounce‘,‘oncellchange‘,‘onchange‘, ‘onclick‘,‘oncontextmenu‘,‘oncontrolselect‘,‘oncopy‘,‘oncut‘,‘ondataavailable‘,‘ondatasetchanged‘,‘ondatasetcomplete‘,‘ondblclick‘, ‘ondeactivate‘,‘ondrag‘,‘ondragend‘,‘ondragenter‘,‘ondragleave‘,‘ondragover‘,‘ondragstart‘,‘ondrop‘,‘onerror‘,‘onerrorupdate‘, ‘onfilterchange‘,‘onfinish‘,‘onfocus‘,‘onfocusin‘,‘onfocusout‘,‘onhelp‘,‘onkeydown‘,‘onkeypress‘,‘onkeyup‘,‘onlayoutcomplete‘, ‘onload‘,‘onlosecapture‘,‘onmousedown‘,‘onmouseenter‘,‘onmouseleave‘,‘onmousemove‘,‘onmouseout‘,‘onmouseover‘,‘onmouseup‘,‘onmousewheel‘, ‘onmove‘,‘onmoveend‘,‘onmovestart‘,‘onpaste‘,‘onpropertychange‘,‘onreadystatechange‘,‘onreset‘,‘onresize‘,‘onresizeend‘,‘onresizestart‘, ‘onrowenter‘,‘onrowexit‘,‘onrowsdelete‘,‘onrowsinserted‘,‘onscroll‘,‘onselect‘,‘onselectionchange‘,‘onselectstart‘,‘onstart‘,‘onstop‘, ‘onsubmit‘,‘onunload‘,‘javascript‘,‘script‘,‘eval‘,‘behaviour‘,‘expression‘,‘style‘,‘class‘); $skipstr = implode(‘|‘, $skipkeys); $value = preg_replace(array("/($skipstr)/i"), ‘.‘, $value); if (!preg_match("/^[\/|\s]?($allowtags)(\s+|$)/is", $value)) { $value = ‘‘; } $replaces[] = empty($value) ? ‘‘ : "<" . str_replace(‘"‘, ‘"‘, $value) . ">"; } } $html = str_replace($searchs, $replaces, $html); return $html; } //php防注入和XSS攻击通用过滤 function string_htmlspecialchars($string, $flags = null) { if (is_array($string)) { foreach ($string as $key => $val) { $string[$key] = string_htmlspecialchars($val, $flags); } } else { if ($flags === null) { $string = str_replace(array(‘&‘, ‘"‘, ‘<‘, ‘>‘), array(‘&‘, ‘"‘, ‘<‘, ‘>‘), $string); if (strpos($string, ‘&#‘) !== false) { $string = preg_replace(‘/&((#(\d{3,5}|x[a-fA-F0-9]{4}));)/‘, ‘&\\1‘, $string); } } else { if (PHP_VERSION < ‘5.4.0‘) { $string = htmlspecialchars($string, $flags); } else { if (!defined(‘CHARSET‘) || (strtolower(CHARSET) == ‘utf-8‘)) { $charset = ‘UTF-8‘; } else { $charset = ‘ISO-8859-1‘; } $string = htmlspecialchars($string, $flags, $charset); } } } return $string; } //------------------php防注入和XSS攻击通用过滤-----End--------------------------------------------//