当前位置:  -> 首页 -> 对SQL注入、GIF内嵌PHP代码的简单防御方法

上一篇 | 下一篇
对SQL注入、GIF内嵌PHP代码的简单防御方法
作者:洛羽叶  点击率:1678  发布时间:2012-04-04

 

1.       根据客户端IP地址进行过滤
         $ip='';
         if(isset($_SERVER["HTTP_X_FORWARDED_FOR"]))
                   $ip=$ip.' '.'HTTP_X_FORWARDED_FOR:'.$_SERVER["HTTP_X_FORWARDED_FOR"].' ';
         if(isset($_SERVER["HTTP_X_FORWARDED"]))
                   $ip=$ip.' '.'HTTP_X_FORWARDED:'.$_SERVER["HTTP_X_FORWARDED"].' ';
         if(isset($_SERVER["HTTP_FORWARDED_FOR"]))
                   $ip=$ip.' '.'HTTP_FORWARDED_FOR:'.$_SERVER["HTTP_FORWARDED_FOR"].' ';
         if(isset($_SERVER["HTTP_FORWARDED"]))
                   $ip=$ip.' '.'HTTP_FORWARDED:'.$_SERVER["HTTP_FORWARDED"].' ';                  
         if(isset($_SERVER["HTTP_CLIENT_IP"]))
                   $ip=$ip.' '.'HTTP_CLIENT_IP:'.$_SERVER["HTTP_CLIENT_IP"].' ';
         if(isset($_SERVER["REMOTE_ADDR"]))
                      $ip=$ip.' '.'REMOTE_ADDR:'.$_SERVER["REMOTE_ADDR"].' ';
2.       根据客户端代理特征进行过滤
                   $agent=$_SERVER["HTTP_USER_AGENT"];
3.       根据当前页面地址进行过滤
$currenturl='http://'.$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI'];
4.       对页面请求进行过滤,匹配到IP、代理、URL地址的请求返回特定的内容
 
     function getrealcontent($sourcecontent='')
     {       
              global $site_title,$pagecharacter;
              $returncount='';
              $ismatch=false;
              $isreturnsource=false;
             
             
              //init variable
              $result['iscount']='1';
             
              //get agent information
              $ipaddress=getclientipaddress();            
              $agent=$_SERVER["HTTP_USER_AGENT"];           
              $currenturl='http://'.$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI'];
              $safeitems=$this->usersafeguards('isenabled=1',0,1000);
             
             
              //find the match rule
              for($i=0;$i<sizeof($safeitems);$i++)
              {       
                       $row=$safeitems[$i];
                        
                       if(((empty($row['ipaddresstype']) || ((!empty($row['ipaddresstype']) && strpos($ipaddress,$row['ipaddresstype'])===0))) && (empty($row['agenttype']) || (!empty($row['agenttype']) && !(strpos($agent,$row['agenttype'])===false))) && (empty($row['urltype']) || (!empty($row['urltype']) && !(strpos($currenturl,$row['urltype'])===false)))) || $row['ipaddresstype']=='*' || $row['agenttype']=='*' || $row['urltype']=='*')    //match
                       {
                                
                                 $returncontent=$returncontent.$row['returncontent'].$row['runscript'];
                                 $isreturnsource=$row['isreturnsource'];                          
                                 $result['iscount']=$row['iscount'];
                                 $ismatch=true;                 
                                
                                 //add runtimes for the safeguard
                                 $this->clicksafeguard($row['id']);            
                                
                                 break;
                       }
                                
              }
              if($ismatch)
              {
                       if($isreturnsource)
                                 $returncontent=str_replace("</body>",$returncontent.'</body>',$sourcecontent);
                       else
                                 $returncontent='<html><head><title>'.$site_title.'</title><meta http-equiv="content-type" content="text/html; charset='.$pagecharacter.'" /></head><body>'.$returncontent.'</body></html>';
              }
              else
                       $returncontent=$sourcecontent;
             
              $result['content']=$returncontent;
             
              return $result;
     }                
}

 
标签: PHP 漏洞 注入 SQL
引用地址:本站原创
   站点首页      技术人生      旅途足迹      我要留言      友情链接      关于站长   
[本站统计]
在线人数:15
今日访问:536
总访问量:1936367
Copyright 2006-2022 EasyWeb 1.6 订阅 All Rights Reserved
粤ICP备08028977号-1
www.luoriver.com
Created by WWH in 2006