Recently due to their own needs, organize a php code-injection, to share it, please correct me.
1. do not want to perform include system (), etc. that can execute commands in php functions, php information or to view the phpinfo () function and so on, then we can ban them: disable_functions = System, passthru, Exec, shell_exec, popen , phpinfo 2. open magic_quotes_gpc to prevent SQL injection (this function has been removed after php5.4) the php.ini in a set: magic_quotes_gpc = Off this is off by default, if it will open automatically submit sql users query conversion, such as the 'into \', etc., which have a significant role in preventing sql injection. Therefore, we recommend to: magic_quotes_gpc = the On 3. General proposed to prohibit server error (the php.ini): display_errors = Off 4. suggestion able to record the error message after you turn off display_errors down, easy to find the reason the server is running: log_errors the On = while also setting error logs are stored, the proposed root apache logs exist together: error_log = usr / local / apache2 / logs / php_error.log
Add the code (usually index.php, this look is definitely on there own needs) at the entrance of the site's files, I will put this code inside my project entry file:
if (ini_get('magic_quotes_gpc')) {
function stripslashesRecursive(array $array)
{
foreach ($array as $k => $v) {
if (is_string($v)) {
$array[$k] = stripslashes(trim($v));
} else if (is_array($v)) {
$array[$k] = stripslashesRecursive($v);
}
}
return $array;
}
if($_GET)$_GET = stripslashesRecursive($_GET);
if($_POST)$_POST = stripslashesRecursive($_POST);
}
function array_safe_replace(array $array) {
foreach ($array as $k => $v) {
if (is_string($v)) {
$string = $v;
$string = str_replace('%20','',$string);
$string = str_replace('%27','',$string);
$string = str_replace('%2527','',$string);
$string = str_replace('*','',$string);
$string = str_replace('"','"',$string);
$string = str_replace("'",'',$string);
$string = str_replace('"','',$string);
$string = str_replace(';','',$string);
$string = str_replace('<','<',$string);
$string = str_replace('>','>',$string);
$string = str_replace("{",'',$string);
$string = str_replace('}','',$string);
$string = str_replace('\\','',$string);
$string = str_replace('script','',$string);
$string = str_replace('insert','',$string);
$string = str_replace('update','',$string);
$string = str_replace('delete','',$string);
$string = str_replace('select','',$string);
$string = str_replace('drop','',$string);
$string = str_replace('eval','',$string);
//防sql注入
$string=preg_replace("/insert/i", "",$string);
$string=preg_replace("/update/i", "",$string);
$string=preg_replace("/delete/i", "",$string);
$string=preg_replace("/select/i", "",$string);
$string=preg_replace("/drop/i", "",$string);
$string=preg_replace("/load_file/i", "",$string);
$string=preg_replace("/outfile/i", "",$string);
$string=preg_replace("/into/i", "",$string);
$string=preg_replace("/exec/i", "",$string);
$string=preg_replace("/caipiao_/i", "",$string);
$string=preg_replace("/union/i", "",$string);
$string=preg_replace("/(add|change)\s+column/i", "",$string);
$string=preg_replace("/(select|update|delete)\s+\S*\s+from/i", "",$string);
$string=preg_replace("/insert\s+into/i", "",$string);
$string=preg_replace("/show\s+(databases|tables|index|columns)/i", "",$string);
$string=preg_replace("/alter\s+(database|table)/i", "",$string);
//防js注入
$string=preg_replace("/(eval|alert|prompt|msgbox)\s*\(.*\)/i", "",$string);
$string=preg_replace("/script/i", "",$string);
$string=preg_replace("/\w+\s*=\s*(\"|')?(java|vb)script:\S*(\"|')?/i", "",$string);
$array[$k] = $string;
} The else IF (is_array ($ V)) {
$array[$k] = array_safe_replace($v);
}
}
Return $ Array;
}
requested data // returns filtered
IF (the GET _ $) = $ _ array_safe_replace the GET (the GET $ _);
IF (the POST _ $) = $ _ array_safe_replace the POST ($ _ the POST);