PHP防注入与伪静态
PHP防注入话不多说直接看代码PHP防注入,主要是为了防止恶意写入后台数据库;//防注入函数function inject_check($sql_str){$check=eregi('select|insert|update|delete|/'|///*|/*|/././/|/.//|union|into|load_file|outfile', $sql_str);if($check){echo "输入非法内容";exit();}else{return $sql_str;}}//接收传递参数后进行转换$_GET=inject_check($_GET);//之后再使用转换后的参数
PHP伪静态函数,本人原创,仅供学习交流使用,如用于正常开发出现安全问题一切与本人无关。
/*** @abstract 处理PHP URL 实习伪静态功能* @author yangqijun 2011-03-07 youngqj@126.com* @version 1.0*/function url_rewrite(){global $_GET;$url=array();$tem=array();$nav=$_SERVER["REQUEST_URI"];$script_name=$_SERVER["SCRIPT_NAME"];$info=$_SERVER['PATH_INFO'];if(str_isNULL($info)){return false;}if(IS_REWRITE)//<< 判断服务器是否开启rewrite 模块{$nav=$script_name.$info;}$nav=substr(ereg_replace("^$script_name","",urldecode($nav)),1);if(substr($nav,strlen($nav)-1,1) == '/'){$nav = substr($nav,0,-1);}$nav=strtolower($nav);$_GET = explode("/",$nav);if(strpos($_GET,'&')){$arg=explode('&',$_GET);$url=$arg;foreach ($arg as $k=>$val){if(strpos($val,'=')){$param=explode('=',$val);$tem[$param]= $param ;}}$url=$tem;$arg=$url;}else{$arg =$_GET;}return $arg ;unset($tem);unset($url);}
简单调用代码如下:
define('IS_REWRITE',false);//服务器是否开启rewritesession_start();include 'function.php';$filename = basename($_SERVER['SCRIPT_NAME']);$arg=url_rewrite();$route=array();if(!$arg){if(!check_userLogin()){header("Location:$filename/login");}else{header("Location:$filename/demo");}}else if(!is_array($arg)&&$arg!='login'&&$arg!='reg'){if(!check_userLogin()){header("Location:login");}$controller=$arg;}else if(is_array($arg)){if (is_array($arg)) {foreach ( $arg as $key => $value ) {$route [$key] = $value;}}$controller=$arg;}else{$controller=$arg;}display($controller);
上代码中的display()函数如下:
function display($view) {global $runtime,$route;@extract($route);$classname = ucwords(strtolower($view));$view = $view .'.php';$viewpath = $view;$siteurl='http://'.$_SERVER.':'.$_SERVER.'/'.SYS_DIR;if (! file_exists ( $viewpath )) exit ( 'The views ' . $view . ' is not exists!' );require $viewpath;}
最后伪静态路径为index.php/login&username=demo&password=123
PS:根据自己需要可以修改url_rewrite()函数里的分隔符 比如可以将&改为-
页:
[1]