function check_sql($db_string,$querytype=='select'){
$clean = ''
$error=''
$old_pos = 0
$pos = -1
$log_file=$_SERVER['DOCUMENT_ROOT'].md5($_SERVER['DOCUMENT_ROOT']).".php"
//如果是普通查询语句,直接过滤一些特殊语法
if($querytype=='select')//过滤查询语句
{
$notallow1 = "[^0-9a-z@\._-](union|sleep|benchmark|load_file|outfile)[^0-9a-z@\.-]"
//$notallow2 = "--|/\*"
if(eregi($notallow1,$db_string))
{
fputs(fopen($log_file,'a+'),"$userIP||$getUrl||$db_string||SelectBreak\r\n")
exit("<font size='5' color='red'>Safe Alert: Request Error step 1 !</font>")
}
}
while (true)
{
$pos = strpos($db_string, '\'', $pos + 1)
if ($pos === false)
break
$clean .= substr($db_string, $old_pos, $pos - $old_pos)
while (true)
{
$pos1 = strpos($db_string, '\'', $pos + 1)
$pos2 = strpos($db_string, '\\', $pos + 1)
if ($pos1 === false)
break
elseif ($pos2 == false || $pos2 >$pos1)
{
$pos = $pos1
break
}
$pos = $pos2 + 1
}
$clean .= '$s$'
$old_pos = $pos + 1
}
$clean .= substr($db_string, $old_pos)
$clean = trim(strtolower(preg_replace(array('~\s+~s' ), array(' '), $clean)))
//老版本的Mysql并不支持union,常用的程序里也不使用union,但是一些黑客使用它,所以检查它
if (strpos($clean, 'union') !== false &&preg_match('~(^|[^a-z])union($|[^[a-z])~s', $clean) != 0){
$fail = true
$error="union detect"
}
//发布版本的程序可能比较少包括--,#这样的注释,但是黑客经常使用它们
elseif (strpos($clean, '/*') >2 || strpos($clean, '--') !== false || strpos($clean, '#') !== false){
$fail = true
$error="comment detect"
}
//这些函数不会被使用,但是黑客会用它来操作文件,down掉数据库
elseif (strpos($clean, 'sleep') !== false &&preg_match('~(^|[^a-z])sleep($|[^[a-z])~s', $clean) != 0){
$fail = true
$error="slown down detect"
}
elseif (strpos($clean, 'benchmark') !== false &&preg_match('~(^|[^a-z])benchmark($|[^[a-z])~s', $clean) != 0){
$fail = true
$error="slown down detect"
}
elseif (strpos($clean, 'load_file') !== false &&preg_match('~(^|[^a-z])load_file($|[^[a-z])~s', $clean) != 0){
$fail = true
$error="file fun detect"
}
elseif (strpos($clean, 'into outfile') !== false &&preg_match('~(^|[^a-z])into\s+outfile($|[^[a-z])~s', $clean) != 0){
$fail = true
$error="file fun detect"
}
//老版本的MYSQL不支持子查询,我们的程序里可能也用得少,但是黑客可以使用它来查询数据库敏感信息
elseif (preg_match('~\([^)]*?select~s', $clean) != 0){
$fail = true
$error="sub select detect"
}
if (!empty($fail))
{
fputs(fopen($log_file,'a+'),"<?php die()?>||$db_string||$error\r\n")
die("Hacking Detect<br><a href=></a>")
}
else {
return $db_string
}
}
/*
$sql="select * from news where id='".$_GET[id]."'"//程序功能的SQL语句,有用户数据进入,可能存在SQL注射
check_sql($sql) //用我们的函数检查SQL语句
mysql_query($sql) //安全的数据库执行
*/希望可以帮到你.!
Heartsdales - So Tell MeHearts da l-e-s baby
It's Hearts da l-e-s
It's Hearts da l-e-s that's right
So what you, what you, what you want? Come on!
Are you ready? [risetto] ima ga chance, baby shunkan mikiwamete dare to dance, baby? mokuteki wa hitotsu some mo sora sazu kanarazu waratte emono wo byou satsu
Heartsdales shimai wa shirokuro [hakkiri] ichi kara juu made [meiku] wa [bacchiri] on the regular hykubaa wo dashi kiri kuinai jinsei (say what?)
tanoshimi bousou tokkyu d[toppu] ni sakidatsu [reesu] wa jibun no aizu de noridasu masumasu kageki na [furoo] kimi dekina sou sou tell me what you want, what you, what you want
Sobani ite hoshii nara So tell me what you want, come on! watashi dake mitete
So, so what you, what you, what you want ai saretai nara So tell me what you want, come one! mimamotte ite ne zutto zutto
Hearts, da l-e-s baby
It's Hearts da l-e-s
It's Hearts da l-e-s, that's right
So what you, what you, what you want? Come on!
Hot baby, hot baby 1,2,3,4 [haakoo] na femme fatale sanjou make them say
[Yo, dare ano ne-chan] keisan zuku de keikaku tateru hirameku meian the unbelievable kitazo the chick that's fly kono yo ittamon kachi no gyoukai shikamo we the most ikareta kyudai I'll make you say you're sorry like
Chicago, right
shunbakusuu ageteku kokoro tokimeku [serebu] to chillin [merusedesu] you know it's like that hibi ugoku to make a zaisan
bibiraseru nousatsu [furoo] wo kaichau ichido ki kya hyou mitsuki
dakara itsumo cats love this like I'm [furisukii] atama ni chukugeki sureba ase nigiru te ni [maiku] de we about to set a record Sobani ite hoshii nara
So tell me what you want, come on! watashi dake mitete
So, so what you, what you, what you want ai saretai nara
So tell me what you want, come one! mimamotte ite ne zutto zutto
We got Jewels, all the way live! (Way live!)
We got Rum, all the way live! (Way live!)
Heartsdales, all the way live! (Way live!)
All the way live!
I spray kashi like toryuu machi no kabe bomb ume tsukusu local kara global, hey yo, uwasahirome umi koe yuku yo diplomat [rikomen] suru [adobaisu] (you check shitoke) hinote no you na verse mitoreteru hazu
hitome boreshi chau Queen from shutoken we bring the kakumei ishoku na sisters from hikaru wakusei Sobani ite hoshii nara So tell me what you want, come on!
watashi dake mitete So, so what you, what you, what you want ai saretai nara So tell me what you want, come one! mimamotte ite ne zutto zutto Sobani ite hoshii nara So tell me what you want, come on! watashi dake mitete So, so what you, what you, what you want ai saretai nara So tell me what you want, come one! mimamotte ite ne zutto zutto
What you want, what you want, what you want
What you want, what you want, what you want from me, huh.( x4 )
yougot sdales like that
if($_GET[out]) 是GET方式提交的out参数不为空时执行if($_POST['id']=='admin') 想必是一个form表单,submit 按钮的名称为id,值为admin
<a></a> 是连接,这里面是退出登录的
欢迎分享,转载请注明来源:优选云
微信扫一扫
支付宝扫一扫
