Of Stack

php prevents sql injection sample analysis and several common attacks on regular expressions

  • 2020-12-13 18:56:03
  • OfStack

Injection vulnerability code and analysis 


<?php 
function customError($errno, $errstr, $errfile, $errline) 
{ 
    echo "<b>Error number:</b> [$errno],error on line $errline in $errfile<br />"; 
    die(); 
} 
set_error_handler("customError",E_ERROR); 
$getfilter="'|(and|or)\\b.+?(>|<|=|in|like)|\\/\\*.+?\\*\\/|<\\s*script\\b|\\bEXEC\\b|UNION.+?SELECT|UPDATE.+?SET|INSERT\\s+INTO.+?VALUES|(SELECT|DELETE).+?FROM|(CREATE|ALTER|DROP|TRUNCATE)\\s+(TABLE|DATABASE)"; 
$postfilter="\\b(and|or)\\b.{1,6}?(=|>|<|\\bin\\b|\\blike\\b)|\\/\\*.+?\\*\\/|<\\s*script\\b|\\bEXEC\\b|UNION.+?SELECT|UPDATE.+?SET|INSERT\\s+INTO.+?VALUES|(SELECT|DELETE).+?FROM|(CREATE|ALTER|DROP|TRUNCATE)\\s+(TABLE|DATABASE)"; 
$cookiefilter="\\b(and|or)\\b.{1,6}?(=|>|<|\\bin\\b|\\blike\\b)|\\/\\*.+?\\*\\/|<\\s*script\\b|\\bEXEC\\b|UNION.+?SELECT|UPDATE.+?SET|INSERT\\s+INTO.+?VALUES|(SELECT|DELETE).+?FROM|(CREATE|ALTER|DROP|TRUNCATE)\\s+(TABLE|DATABASE)"; 
function StopAttack($StrFiltKey,$StrFiltValue,$ArrFiltReq)
{    
    if(is_array($StrFiltValue)) 
    { 
        $StrFiltValue=implode($StrFiltValue); 
    } 
    if (preg_match("/".$ArrFiltReq."/is",$StrFiltValue)==1&&!isset($_REQUEST['securityToken']))
    { 
        slog("<br><br> operation IP: ".$_SERVER["REMOTE_ADDR"]."<br> Operating time : ".strftime("%Y-%m-%d %H:%M:%S")."<br> The operation page :".$_SERVER["PHP_SELF"]."<br> submission : ".$_SERVER["REQUEST_METHOD"]."<br> Submit parameters : ".$StrFiltKey."<br> Submit data : ".$StrFiltValue); 
        print "result notice:Illegal operation!"; 
        exit(); 
    } 
} 
foreach($_GET as $key=>$value)
{ 
    StopAttack($key,$value,$getfilter); 
} 
foreach($_POST as $key=>$value)
{ 
    StopAttack($key,$value,$postfilter); 
} 
foreach($_COOKIE as $key=>$value)
{ 
    StopAttack($key,$value,$cookiefilter); 
} 

function slog($logs) 
{ 
    $toppath="log.htm"; 
    $Ts=fopen($toppath,"a+"); 
    fputs($Ts,$logs."\r\n"); 
    fclose($Ts); 
} 
?>
sql

Analysis of the

If you use this function, it bypasses the standard error handling of PHP, so define your own error handler (die()).

Second, if an error occurs before the code is executed, the user-defined program has not yet been executed, so the user-written error handler is not used.

So, PHP has an error handling mechanism that can either use set_error_handler() to take over the PHP error handling, or it can use the trigger_error() function to actively throw an error.

The set_error_handler() function sets a user-defined error handler. The function is used to create the user's own error handling method at run time. It needs to create an error handler and then set the error level.

About usage: 


function customError($errno, $errstr, $errfile, $errline)
{
  echo "<b> The error code :</b>  [ ${errno} ]  ${errstr} \ r \ n";
  echo "  Line of code where the error is:  {$errline}  file {$errfile} \ r \ n";
  echo " PHP version  ",PHP_VERSION, "(" , PHP_OS, ") \ r \ n";
  // die();
}
set_error_handler("customError",E_ALL| E_STRICT);

In this function, you can do anything you want, including formatting the output of the error details to the log file. 


function slog($logs) 
{ 
    $toppath="log.htm"; 
    $Ts=fopen($toppath,"a+"); 
    fputs($Ts,$logs."\r\n"); 
    fclose($Ts); 
}

The custom error handler 1 must have the four input variables $errno, $errstr, $errfile, and $errline.

errno is a set of constants, representing the level of error, and there is a set of integers that correspond to it, but 1 is generally represented by a string value, so that the semantics are better by 1 point. For example, E_WARNING, whose base 2 mask is 4, indicates warning messages.

The next step is to pass this function as a callback argument to set_error_handler. This takes over the PHP native error handler. Note that this method of hosting does not host all kinds of errors, such as E_ERROR, E_PARSE, E_CORE_ERROR, E_CORE_WARNING, E_COMPILE_ERROR, E_COMPILE_WARNING, and parts of E_STRICT. These errors will be displayed in their original form or not.

The StopAttack() function is to write the passed POST, GET, COOKIE to the log file for regular expressions and calls to slog(). 


$Exec_Commond  = "( \\s|\\S)*(exec(\\s|\\+)+(s|x)p\\w+)(\\s|\\S)*";
$Simple_XSS = "( \\s|\\S)*((%3C)|<)((%2F)|/)*[a-z0-9%]+((%3E)|>)(\\s|\\S)*";
$Eval_XSS  = "( \\s|\\S)*((%65)|e)(\\s)*((%76)|v)(\\s)*((%61)|a)(\\s)*((%6C)|l)(\\s|\\S)*";
$Image_XSS  = "( \\s|\\S)*((%3C)|<)((%69)|i|I|(%49))((%6D)|m|M|(%4D))((%67)|g|G|(%47))[^\\n]+((%3E)|>)(\\s|\\S)*" ;
$Script_XSS = "( \\s|\\S)*((%73)|s)(\\s)*((%63)|c)(\\s)*((%72)|r)(\\s)*((%69)|i)(\\s)*((%70)|p)(\\s)*((%74)|t)(\\s|\\S)*";
$SQL_Injection = "( \\s|\\S)*((%27)|(')|(%3D)|(=)|(/)|(%2F)|(\")|((%22)|(-|%2D){2})|(%23)|(%3B)|(;))+(\\s|\\S)*";

When HP encounters an error, it gives the location of the error script, the number of lines, and the reason for the error, which many say is no big deal. But the consequences of revealing the actual path are terrible. For some intruders, this information is very important, and in fact many servers today have this problem. Some administrators simply set display_errors in the PHP configuration file to Off to solve the problem, but I think this method is too negative. Sometimes we do need PHP to return an error message for debugging purposes. And in the error may also need to give the user 1 explain, or even navigation to another 1 page. But with set_error_handler(), these contradictions can also be resolved.

Related articles: