|
Konu Başlığı: Php için Sql injection önleme Gönderen: 3L3cTRic üzerinde Mart 28, 2009, 06:52:04 ÖS Kod: <?php mysql_connect("localhost", "root", "root") or die(mysql_error()); mysql_select_db("dbadi") or die(mysql_error()); ?> <? $queryString = $_SERVER[ QUERY_STRING ]; $modul_guvenlik= addslashes(mysql_real_escape_string($_SERVER[ QUERY_STRING ])); $ip=$_SERVER["REMOTE_ADDR"]; foreach ($_GET as $secvalue) { if( (eregi("<[^>]*script*\"?[^>]*", $secvalue)) || (eregi("<[^>]*object*\"?[^>]*", $secvalue)) || (eregi("<[^>]*iframe*\"?[^>]*", $secvalue)) || (eregi("<[^>]*applet*\"?[^>]*", $secvalue)) || (eregi("<[^>]*meta*\"?[^>]*", $secvalue)) || (eregi("<[^>]*style*\"?[^>]*", $secvalue)) || (eregi("<[^>]*form*\"?[^>]*", $secvalue)) || (eregi("<[^>]*img*\"?[^>]*", $secvalue)) || (eregi("<[^>]*onmouseover *\"?[^>]*", $secvalue)) || (eregi("<[^>]*body *\"?[^>]*", $secvalue)) || (eregi("\([^>]*\"?[^)]*\)", $secvalue)) || (eregi("\"", $secvalue)) || (eregi("forum_admin", $sec_key)) || (eregi("inside_mod", $sec_key))) {$datetime = date( Y-m-d H:i:s ); mysql_query("insert into alinan_hatalar values(NULL, $datetime , HTML HATASI , $modul_guvenlik , $ip )"); die( Hata!!-Bilgisayar?n?z?n ipsi kontrol için kaydedildi! ); } } $postString = ""; foreach ($_POST as $postkey => $postvalue) { if ($postString > "") { $postString .= "&".$postkey."=".$postvalue; } else { $postString .= $postkey."=".$postvalue; } } str_replace("%09", "%20", $postString); $postString_64 = base64_decode($postString); if ((stristr($postString, %20union%20 )) OR (stristr($postString, */union/* )) OR (eregi("<[^>]*iframe*\"?[^>]*", $postString)) OR (eregi("<[^>]*object*\"?[^>]*", $postString)) OR (eregi("<[^>]*applet*\"?[^>]*", $postString)) OR (eregi("<[^>]*meta*\"?[^>]*", $postString)) OR (eregi("<[^>]script*\"?[^>]*", $postString)) OR (eregi("<[^>]*body*\"?[^>]*", $postString)) OR (eregi("<[^>]style*\"?[^>]*", $postString)) OR (stristr($postString, union )) OR (stristr($postString, %20union%20 )) OR (stristr($postString, */union/* )) OR (stristr($postString, union )) OR (stristr($postString, +union+ )) OR (stristr($postString, http-equiv )) OR (stristr($postString, http-equiv )) OR (stristr($postString, alert( )) OR (stristr($postString, alert( )) OR (stristr($postString, javascript: )) OR (stristr($postString, javascript: )) OR (stristr($postString, document.cookie )) OR (stristr($postString, onmouseover= )) OR (stristr($postString, onmouseover= )) OR (stristr($postString, document......................................... )) OR (stristr($postString, */UNION )) OR (stristr($postString, UNION/* )) OR (stristr($postString, /* )) OR (stristr($postString, c2nyaxb0 )) OR (stristr($postString, document......................................... ))) {$datetime = date( Y-m-d H:i:s ); mysql_query("insert into alinan_hatalar values(NULL, $datetime , POST HATASI , $modul_guvenlik , $ip )"); die( Hata!!-Bilgisayar?n?z?n ipsi kontrol için kaydedildi! ); } if ($_SERVER[ PHP_SELF ] != "/index.php") { if ((stristr($queryString, http:// )) || (stristr($queryString, / ))) {$datetime = date( Y-m-d H:i:s ); mysql_query("insert into alinan_hatalar values(NULL, $datetime , ADRES HATASI-2 , $modul_guvenlik , $ip )"); die( Hata!! -Bilgisayar?n?z?n ipsi kontrol için kaydedildi! ); } } if ((stristr($queryString, %20union%20 )) OR (stristr($queryString, /* )) OR (stristr($queryString, */union/* )) OR (stristr($queryString, union )) OR (stristr($queryString, select )) OR (stristr($queryString, insert )) OR (stristr($queryString, c2nyaxb0 )) OR (stristr($queryString, +union+ )) OR (stristr($queryString, http:// )) OR (stristr($queryString, shell )) OR ((stristr($queryString, cmd= )) AND (!stristr($queryString, &cmd ))) OR ((stristr($queryString, exec )) AND (!stristr($queryString, execu ))) OR (stristr($queryString, concat ))) {$datetime = date( Y-m-d H:i:s ); mysql_query("insert into alinan_hatalar values(NULL, $datetime , ADRES HATASI-4 , $modul_guvenlik , $ip )"); die( Hata!!-Bilgisayar?n?z?n IP si kontrol için kaydedildi! ); } ?> bunu guvenlik.php olarak kaydedip sayfalara inc. edebilirsiniz bu sql sql k?sm?; Kod: CREATE TABLE `alinan_hatalar` ( `hata_id` int(11) NOT NULL auto_increment, `tarih` datetime NOT NULL default 0000-00-00 00:00:00 , `hata` varchar(100) NOT NULL default , `adres` varchar(50) NOT NULL default , `ip_adres` varchar(20) NOT NULL default , PRIMARY KEY (`hata_id`), KEY `ip_adres` (`ip_adres`) ) ENGINE=MyISAM DEFAULT CHARSET=latin5 AUTO_INCREMENT=4 ; Konu Başlığı: Ynt: Php ?çin Sql ?njection ü?nleme Gönderen: energy üzerinde Temmuz 04, 2009, 03:01:36 ÖS e?er i?e yar?yorsa süper ;)
benzeri güvenlik önemlemleri bir cok ki?i icin hayat kurtar?r |