您的位置:首页 > 数据库 > MySQL

MySql 防注入及SQL语句安全检测

2009-08-14 17:33 633 查看
2009-07-04 18:41
function
CheckSql(
$db_string
,
$querytype
=
'
select
'
)

2
{

3

global

$cfg_cookie_encode
;

4

$clean

=

''
;

5

$error
=
''
;

6

$old_pos

=

0
;

7

$pos

=

-
1
;

8

$log_file

=
DEDEINC
.
'
/../data/
'
.
md5
(
$cfg_cookie_encode
)
.
'
_safe.txt
'
;

9

$userIP

=
GetIP();

10

$getUrl

=
GetCurUrl();

11

12

//
如果是普通查询语句,直接过滤一些特殊语法

13

if
(
$querytype
==
'
select
'
)

14
{

15

$notallow1

=

"
[^0-9a-z@/._-]{1,}(union|sleep|benchmark|load_file|outfile)[^0-9a-z@/.-]{1,}
"
;

16

17

//
$notallow2 = "--|//*";

18

if
(
eregi
(
$notallow1
,
$db_string
))

19
{

20

fputs
(
fopen
(
$log_file
,
'
a+
'
)
,
"
$userIP
||
$getUrl
||
$db_string
||SelectBreak/r/n
"
);

21

exit
(
"
<font size='5' color='red'>Safe Alert: Request Error step 1 !</font>
"
);

22
}

23
}

24

25

//
完整的SQL检查

26

while
(
true
)

27
{

28

$pos

=

strpos
(
$db_string
,

'
/
''
, $pos + 1);

29
if ($pos === false)

30
{

31
break;

32
}

33
$clean .= substr($db_string, $old_pos, $pos - $old_pos);

34
while (true)

35
{

36
$pos1 = strpos($db_string,
'
/
''
,

$pos

+

1
);

37

$pos2

=

strpos
(
$db_string
,

'
//
'
,

$pos

+

1
);

38

if
(
$pos1

===

false
)

39
{

40

break
;

41
}

42

elseif
(
$pos2

==

false

||

$pos2

>

$pos1
)

43
{

44

$pos

=

$pos1
;

45

break
;

46
}

47

$pos

=

$pos2

+

1
;

48
}

49

$clean

.=

'
$s$
'
;

50

$old_pos

=

$pos

+

1
;

51
}

52

$clean

.=

substr
(
$db_string
,

$old_pos
);

53

$clean

=

trim
(
strtolower
(
preg_replace
(
array
(
'
~/s+~s
'
)
,

array
(
'

'
)
,

$clean
)));

54

55

//
老版本的Mysql并不支持union,常用的程序里也不使用union,但是一些黑客使用它,所以检查它

56

if
(
strpos
(
$clean
,

'
union
'
)
!==

false

&&

preg_match
(
'
~(^|[^a-z])union($|[^[a-z])~s
'
,

$clean
)
!=

0
)

57
{

58

$fail

=

true
;

59

$error
=
"
union detect
"
;

60
}

61

62

//
发布版本的程序可能比较少包括--,#这样的注释,但是黑客经常使用它们

63

elseif
(
strpos
(
$clean
,

'
/*
'
)
>

2

||

strpos
(
$clean
,

'
--
'
)
!==

false

||

strpos
(
$clean
,

'
#
'
)
!==

false
)

64
{

65

$fail

=

true
;

66

$error
=
"
comment detect
"
;

67
}

68

69

//
这些函数不会被使用,但是黑客会用它来操作文件,down掉数据库

70

elseif
(
strpos
(
$clean
,

'
sleep
'
)
!==

false

&&

preg_match
(
'
~(^|[^a-z])sleep($|[^[a-z])~s
'
,

$clean
)
!=

0
)

71
{

72

$fail

=

true
;

73

$error
=
"
slown down detect
"
;

74
}

75

elseif
(
strpos
(
$clean
,

'
benchmark
'
)
!==

false

&&

preg_match
(
'
~(^|[^a-z])benchmark($|[^[a-z])~s
'
,

$clean
)
!=

0
)

76
{

77

$fail

=

true
;

78

$error
=
"
slown down detect
"
;

79
}

80

elseif
(
strpos
(
$clean
,

'
load_file
'
)
!==

false

&&

preg_match
(
'
~(^|[^a-z])load_file($|[^[a-z])~s
'
,

$clean
)
!=

0
)

81
{

82

$fail

=

true
;

83

$error
=
"
file fun detect
"
;

84
}

85

elseif
(
strpos
(
$clean
,

'
into outfile
'
)
!==

false

&&

preg_match
(
'
~(^|[^a-z])into/s+outfile($|[^[a-z])~s
'
,

$clean
)
!=

0
)

86
{

87

$fail

=

true
;

88

$error
=
"
file fun detect
"
;

89
}

90

91

//
老版本的MYSQL不支持子查询,我们的程序里可能也用得少,但是黑客可以使用它来查询数据库敏感信息

92

elseif
(
preg_match
(
'
~/([^)]*?select~s
'
,

$clean
)
!=

0
)

93
{

94

$fail

=

true
;

95

$error
=
"
sub select detect
"
;

96
}

97

if
(
!
empty
(
$fail
))

98
{

99

fputs
(
fopen
(
$log_file
,
'
a+
'
)
,
"
$userIP
||
$getUrl
||
$db_string
||
$error
/r/n
"
);

100

exit
(
"
<font size='5' color='red'>Safe Alert: Request Error step 2!</font>
"
);

101
}

102

else

103
{

104

return

$db_string
;

105
}

106
}

内容来自用户分享和网络整理,不保证内容的准确性,如有侵权内容,可联系管理员处理 点击这里给我发消息
标签: