<?php
function customError($errno, $errstr, $errfile, $errline)
{
echo "<b>Error number:</b> [$errno],error on line $errline in $errfile<br />";
die();
}
set_error_handler("customError",E_ERROR);
$getfilter="'|(and|or)\\b.+?(>|<|=|in|like)|\\/\\*.+?\\*\\/|<\\s*script\\b|\\bEXEC\\b|UNION.+?SELECT|UPDATE.+?SET|INSERT\\s+INTO.+?VALUES|(SELECT|DELETE).+?FROM|(CREATE|ALTER|DROP|TRUNCATE)\\s+(TABLE|DATABASE)";
$postfilter="\\b(and|or)\\b.{1,6}?(=|>|<|\\bin\\b|\\blike\\b)|\\/\\*.+?\\*\\/|<\\s*script\\b|\\bEXEC\\b|UNION.+?SELECT|UPDATE.+?SET|INSERT\\s+INTO.+?VALUES|(SELECT|DELETE).+?FROM|(CREATE|ALTER|DROP|TRUNCATE)\\s+(TABLE|DATABASE)";
$cookiefilter="\\b(and|or)\\b.{1,6}?(=|>|<|\\bin\\b|\\blike\\b)|\\/\\*.+?\\*\\/|<\\s*script\\b|\\bEXEC\\b|UNION.+?SELECT|UPDATE.+?SET|INSERT\\s+INTO.+?VALUES|(SELECT|DELETE).+?FROM|(CREATE|ALTER|DROP|TRUNCATE)\\s+(TABLE|DATABASE)";
function StopAttack($StrFiltKey,$StrFiltValue,$ArrFiltReq){
if(is_array($StrFiltValue))
$StrFiltValue=implode($StrFiltValue);
if (preg_match("/".$ArrFiltReq."/is",$StrFiltValue)==1){
error_log("IP: ".$_SERVER["REMOTE_ADDR"].": ".strftime("%Y-%m-%d %H:%M:%S").":".$_SERVER["PHP_SELF"].": ".$_SERVER["REQUEST_METHOD"].": ".$StrFiltKey.": ".$StrFiltValue."\n",3, "XundaslSqlSafe-".date("Y-m-d", time()).".log");
echo "警告:非法操作!";
exit();
}
}
foreach($_GET as $key=>$value)
StopAttack($key,$value,$getfilter);
foreach($_POST as $key=>$value)
StopAttack($key,$value,$postfilter);
foreach($_COOKIE as $key=>$value)
StopAttack($key,$value,$cookiefilter);
?>
标签:web安全, PHP