Başlık: Php için Sql injection Önleme
Gönderen: 3L3cTRic - Mart 28, 2009, 06:52:04 ÖS
<?php
mysql_connect("localhost", "root", "root") or die(mysql_error());
mysql_select_db("dbadi") or die(mysql_error());
?>
<?
$queryString = $_SERVER['QUERY_STRING'];
$modul_guvenlik= addslashes(mysql_real_escape_string($_SERVER['QUERY_STRING']));
$ip=$_SERVER["REMOTE_ADDR"];
foreach ($_GET as $secvalue) {
if(
(eregi("<[^>]*script*\"?[^>]*", $secvalue)) ||
(eregi("<[^>]*object*\"?[^>]*", $secvalue)) ||
(eregi("<[^>]*iframe*\"?[^>]*", $secvalue)) ||
(eregi("<[^>]*applet*\"?[^>]*", $secvalue)) ||
(eregi("<[^>]*meta*\"?[^>]*", $secvalue)) ||
(eregi("<[^>]*style*\"?[^>]*", $secvalue)) ||
(eregi("<[^>]*form*\"?[^>]*", $secvalue)) ||
(eregi("<[^>]*img*\"?[^>]*", $secvalue)) ||
(eregi("<[^>]*onmouseover *\"?[^>]*", $secvalue)) ||
(eregi("<[^>]*body *\"?[^>]*", $secvalue)) ||
(eregi("\([^>]*\"?[^)]*\)", $secvalue)) ||
(eregi("\"", $secvalue)) ||
(eregi("forum_admin", $sec_key)) ||
(eregi("inside_mod", $sec_key)))
{$datetime = date('Y-m-d H:i:s');
mysql_query("insert into alinan_hatalar values(NULL,'$datetime','HTML HATASI','$modul_guvenlik','$ip')");
die('Hata!!-Bilgisayar?n?z?n ipsi kontrol için kaydedildi!');
}
}
$postString = "";
foreach ($_POST as $postkey => $postvalue) {
if ($postString > "") {
$postString .= "&".$postkey."=".$postvalue;
} else {
$postString .= $postkey."=".$postvalue;
}
}
str_replace("%09", "%20", $postString);
$postString_64 = base64_decode($postString);
if ((stristr($postString,'%20union%20')) OR (stristr($postString,'*/union/*')) OR
(eregi("<[^>]*iframe*\"?[^>]*", $postString)) OR
(eregi("<[^>]*object*\"?[^>]*", $postString)) OR
(eregi("<[^>]*applet*\"?[^>]*", $postString)) OR
(eregi("<[^>]*meta*\"?[^>]*", $postString)) OR
(eregi("<[^>]script*\"?[^>]*", $postString)) OR
(eregi("<[^>]*body*\"?[^>]*", $postString)) OR
(eregi("<[^>]style*\"?[^>]*", $postString)) OR
(stristr($postString,' union ')) OR
(stristr($postString,'%20union%20')) OR
(stristr($postString,'*/union/*')) OR
(stristr($postString,' union ')) OR
(stristr($postString,'+union+')) OR
(stristr($postString,'http-equiv')) OR
(stristr($postString,'http-equiv')) OR
(stristr($postString,'alert(')) OR
(stristr($postString,'alert(')) OR
(stristr($postString,'javascript:')) OR
(stristr($postString,'javascript:')) OR
(stristr($postString,'document.cookie')) OR
(stristr($postString,'onmouseover=')) OR
(stristr($postString,'onmouseover=')) OR
(stristr($postString,'document.........................................')) OR
(stristr($postString,'*/UNION ')) OR
(stristr($postString,' UNION/*')) OR
(stristr($postString,'/*')) OR
(stristr($postString,'c2nyaxb0')) OR
(stristr($postString,'document.........................................'))) {$datetime = date('Y-m-d H:i:s');
mysql_query("insert into alinan_hatalar values(NULL,'$datetime','POST HATASI','$modul_guvenlik','$ip')");
die('Hata!!-Bilgisayar?n?z?n ipsi kontrol için kaydedildi!');
}
if ($_SERVER['PHP_SELF'] != "/index.php")
{
if ((stristr($queryString,'http://')) || (stristr($queryString,'/')))
{$datetime = date('Y-m-d H:i:s');
mysql_query("insert into alinan_hatalar values(NULL,'$datetime','ADRES HATASI-2','$modul_guvenlik','$ip')");
die('Hata!! -Bilgisayar?n?z?n ipsi kontrol için kaydedildi!');
}
}
if ((stristr($queryString,'%20union%20')) OR
(stristr($queryString,'/*')) OR
(stristr($queryString,'*/union/*')) OR
(stristr($queryString,'union')) OR
(stristr($queryString,'select')) OR
(stristr($queryString,'insert')) OR
(stristr($queryString,'c2nyaxb0')) OR
(stristr($queryString,'+union+')) OR
(stristr($queryString,'http://')) OR
(stristr($queryString,'shell')) OR
((stristr($queryString,'cmd=')) AND (!stristr($queryString,'&cmd'))) OR
((stristr($queryString,'exec')) AND (!stristr($queryString,'execu'))) OR
(stristr($queryString,'concat'))) {$datetime = date('Y-m-d H:i:s');
mysql_query("insert into alinan_hatalar values(NULL,'$datetime','ADRES HATASI-4','$modul_guvenlik','$ip')");
die('Hata!!-Bilgisayar?n?z?n IP si kontrol için kaydedildi!');
}
?>
bunu guvenlik.php olarak kaydedip sayfalara inc. edebilirsiniz bu sql sql k?sm?;
CREATE TABLE `alinan_hatalar` (
`hata_id` int(11) NOT NULL auto_increment,
`tarih` datetime NOT NULL default '0000-00-00 00:00:00',
`hata` varchar(100) NOT NULL default '',
`adres` varchar(50) NOT NULL default '',
`ip_adres` varchar(20) NOT NULL default '',
PRIMARY KEY (`hata_id`),
KEY `ip_adres` (`ip_adres`)
) ENGINE=MyISAM DEFAULT CHARSET=latin5 AUTO_INCREMENT=4 ;
Başlık: Ynt: Php ?çin Sql ?njection Önleme
Gönderen: energy - Temmuz 04, 2009, 03:01:36 ÖS
e?er i?e yar?yorsa süper ;)
benzeri güvenlik önemlemleri bir cok ki?i icin hayat kurtar?r
|