函数在php中使用query_string提供一些额外的安全性
发布时间:2020-12-13 21:55:24 所属栏目:PHP教程 来源:网络整理
导读:几年前,我开始使用以下代码,包括在我的页面顶部.我读到这很好并且使用它.但我想知道,它有用吗? $page = "index.php";$cracktrack = $_SERVER['QUERY_STRING'];$wormprotector = array('chr(','chr=','chr%20','%20chr','wget%20','%20wget','wget(','cmd=',
|
几年前,我开始使用以下代码,包括在我的页面顶部.我读到这很好并且使用它.但我想知道,它有用吗?
$page = "index.php";
$cracktrack = $_SERVER['QUERY_STRING'];
$wormprotector = array('chr(','chr=','chr%20','%20chr','wget%20','%20wget','wget(','cmd=','%20cmd','cmd%20','rush=','%20rush','rush%20','union%20','%20union','union(','union=','echr(','%20echr','echr%20','echr=','esystem(','esystem%20','cp%20','%20cp','cp(','mdir%20','%20mdir','mdir(','mcd%20','mrd%20','rm%20','%20mcd','%20mrd','%20rm','mcd(','mrd(','rm(','mcd=','mrd=','mv%20','rmdir%20','mv(','rmdir(','chmod(','chmod%20','%20chmod','chmod=','chown%20','chgrp%20','chown(','chgrp(','locate%20','grep%20','locate(','grep(','diff%20','kill%20','kill(','killall','passwd%20','%20passwd','passwd(','telnet%20','vi(','vi%20','insert%20into','select%20','nigga(','%20nigga','nigga%20','fopen','fwrite','%20like','like%20','$_request','$_get','$request','$get','.system','HTTP_PHP','&aim','%20getenv','getenv%20','new_password','&icq','/etc/password','/etc/shadow','/etc/groups','/etc/gshadow','HTTP_USER_AGENT','HTTP_HOST','/bin/ps','unamex20-a','/usr/bin/id','/bin/echo','/bin/kill','/bin/','/chgrp','/chown','/usr/bin','g++','bin/python','bin/tclsh','bin/nasm','perl%20','traceroute%20','ping%20','.pl','/usr/X11R6/bin/xterm','lsof%20','/bin/mail','.conf','motd%20','HTTP/1.','.inc.php','config.php','cgi-','.eml','file://','window.open','<SCRIPT>','javascript://','img src','img%20src','.jsp','ftp.exe','xp_enumdsn','xp_availablemedia','xp_filelist','xp_cmdshell','nc.exe','.htpasswd','servlet','/etc/passwd','wwwacl','~root','~ftp','.js','admin_','.history','bash_history','.bash_history','~nobody','server-info','server-status','reboot%20','halt%20','powerdown%20','/home/ftp','/home/www','secure_site,ok','chunked','org.apache','/servlet/con','<script','/robot.txt','/perl','mod_gzip_status','db_mysql.inc','.inc','select%20from','select from','drop%20','getenv','http_','_php','php_','phpinfo()','<?php','?>','sql=');
$checkworm = str_replace($wormprotector,'*',$cracktrack);
if ($cracktrack != $checkworm){
$cremotead = $_SERVER['REMOTE_ADDR'];
$cuseragent = $_SERVER['HTTP_USER_AGENT'];
header("location:$page");
die();
}
解决方法
一般来说,我个人不会使用这种策略.我宁愿消毒每一个输入.如果用户在URL中传递.bash_history,我不在乎,因为它永远不会在我的脚本中执行任何操作.
如果你有一些可供任何人使用的第三方低可靠性脚本,我或许可以看到这样的东西很有用.即使在那种情况下,它看起来似乎是半可靠的创可贴. 但是对于您编写的应用程序,这应该是不必要的. (编辑:李大同) 【声明】本站内容均来自网络,其相关言论仅代表作者个人观点,不代表本站立场。若无意侵犯到您的权利,请及时与联系站长删除相关内容! |