PHP application security prevention technology research

PHP security prevention program model

Copy the code as follows:
　 /* PHP anti-injection cross-site V1.0
　 Add: require(“menzhi_injection.php”);
　 to the top of your page to achieve universal prevention of SQL injection. and XSS cross-site vulnerabilities.
　　##################Defects and Improvements##################
　There are still many defects in the program, I hope everyone can Help improve
　　##################Reference and Acknowledgment#################
　Neeao'ASP SQL universal anti-injection Program V3.0
Part of the code is referenced from Discuz!
|select|delete|update|count|*|%|chr|mid|master|truncate|or|char|declare";
　$menzhi_injection = explode("|",$menzhi_injection);
　foreach(array('_GET' , '_POST', '_COOKIE','_REQUEST') as $_request) {
　foreach($$_request as $_key => $_value) {
　 //$_value = strtolower($_value);
　$_key{ 0} != '_' && $$_key = daddslashes($_value);
　foreach($menzhi_injection as $kill_key => $kill_value) {
　if(substr_count($_value,$kill_value)>0) {
echo "";
　unset($_value);
exit();
　}
　}
　///echo "
　".$_value;
　}
　}
　function daddslashes($string) {
　　if(!MAGIC_QUOT ES_GPC) {
　if(is_array($string)) {
　foreach($string as $key => $val) {
　$string[$key] = daddslashes($val);
　}
　} else {
　$string = addslashes ($string);
　}
　}
　 $string = preg_replace('/&((#(d{3,5}|x[a-fA-F0-9]{4}));)/', ' &\1',str_replace(array('&', '"', '<', '>'), array('&', '"', '<', '>'), $ string));
　 return $string;
　}
　?>

　 Usage instructions
　 Add: "require("menzhi_injection.php");" at the top of your page to achieve general prevention of SQL injection and XSS cross-border Site vulnerability. To call this program, we use require() instead of include(), because if an error occurs when calling the file in require(), the program will be terminated, and include() will ignore it. And when require() calls a file, the external file will be called first as soon as the program is run. Inculde() only starts execution when it reaches this line. Based on the function characteristics, we choose require(). You can also add or delete filter characters in the $menzhi_injection variable according to actual needs to achieve better defense effects. Furthermore, you can modify the code yourself, and you may gain unexpected results. Ordinary injections can be defended. The following test is just for ridicule. The following is the test effect of a one-sentence Trojan:

Hey, if you are tempted, just call it at the top of your page. Remember "require("menzhi_injection.php");" Oh. This is just a gimmick to arouse everyone's interest, please test it yourself.

　Defects and Needs for Improvement
　Since this program is only an external call, it only processes externally submitted variables, and does not conduct a systematic analysis of your application, so it has many limitations, so please use it with caution. For programs that use GBK encoding, there is also the risk of double-byte encoding vulnerabilities. Although this program can handle this vulnerability. But to curb these loopholes, we still need to start from the root cause. Need to handle the database connection file, we can add character_set_client=binary. The database connection class db_mysql.class.php of Discuz!7.0 is very well written and you can refer to it. Of course, these are not the scope of this small program.
　And this program does not filter the $_SERVER $_ENV $_FILES system variables. For example, when the $_SERVER['HTTP_X_FORWARDED_FOR'] system obtains the IP, hackers can change its value by hijacking and modifying the original HTTP request packet. This program can handle these vulnerabilities. But as programmers, what we need is to deal with external variables from the root cause, take precautions before they happen, and take precautions.
　The program is very messy. Everyone is welcome to test and use it. If you have any comments or suggestions, you can leave a message for discussion.
　Conclusion
Finally, I wish you all success in your studies and success in your work. If you want to get more related articles, please pay attention to the PHP Chinese website (www.php.cn)!