pot adauga in config niste scripturi anti sql injection?
Scris: 10-Mar-2010, 09:47:50
Cum spune titlu pot adauga in config urmatoarele ?
Cod: Selectaţi tot
// ANTI SQL INJECTION
$ip = $_SERVER[REMOTE_ADDR];
$motiv = "Hacking Attempt";
$badchars = array(";","'","*","/"," \ ","DROP", "SELECT", "UPDATE", "DELETE", "drop", "select", "update", "delete", "WHERE", "where", "-0", "-", "-1", "-2", "-3","-4", "-5", "-6", "-7", "-8", "-9", "FROM", "from");
foreach($_POST as $value)
{
if(in_array($value, $badchars))
{
mysql_query("INSERT INTO lista_neagra (ip, motiv) VALUES ('$ip','$motiv')");
}
else
{
$check = preg_split("//", $value, -1, PREG_SPLIT_OFFSET_CAPTURE);
foreach($check as $char)
{
if(in_array($char, $badchars))
{
mysql_query("INSERT INTO lista_neagra (ip, motiv) VALUES ('$ip','$motiv')");
}
}
}
}
foreach($_GET as $value)
{
if(in_array($value, $badchars))
{
mysql_query("INSERT INTO lista_neagra (ip, motiv) VALUES ('$ip','$motiv')");
}
else
{
$check = preg_split("//", $value, -1, PREG_SPLIT_OFFSET_CAPTURE);
foreach($check as $char)
{
if(in_array($char, $badchars))
{
mysql_query("INSERT INTO lista_neagra (ip, motiv) VALUES ('$ip','$motiv')");
}
}
}
}
// Anti XSS (Cross Side Scripting)
foreach ($_GET as $check_url) {
if ((eregi("<[^>]*script*\"?[^>]*>", $check_url)) || (eregi("<[^>]*object*\"?[^>]*>", $check_url)) ||
(eregi("<[^>]*iframe*\"?[^>]*>", $check_url)) || (eregi("<[^>]*applet*\"?[^>]*>", $check_url)) ||
(eregi("<[^>]*meta*\"?[^>]*>", $check_url)) || (eregi("<[^>]*style*\"?[^>]*>", $check_url)) ||
(eregi("<[^>]*form*\"?[^>]*>", $check_url)) || (eregi("\([^>]*\"?[^)]*\)", $check_url)) ||
(eregi("\"", $check_url))) {
die ();
}
}