www.gusucode.com > PHPDisk E-Core企业级网盘系统 v3.0PHP源码程序 > PHPDisk E-Core企业级网盘系统 v3.0/PHPDisk_ECore_v3.0.20160809/PHPDisk_E-Core_v3.0.20160809/upload/includes/dosafe.php
<?php /** # Project: PHPDISK File Storage Solution # This is NOT a freeware, use is subject to license terms. # # Site: http://www.phpdisk.com # # $Id: dosafe.php 64 2016-07-30 14:01:18Z along $ # # Copyright (C) 2008-2016 PHPDisk Team. All Rights Reserved. # */ $referer=empty($_SERVER['HTTP_REFERER']) ? array() : array($_SERVER['HTTP_REFERER']); function customError($errno, $errstr, $errfile, $errline) { echo "<b>Error number:</b> [$errno],error on line $errline in $errfile<br />"; die(); } set_error_handler("customError",E_ERROR); $getfilter="'|<[^>]*?>|^\\+\/v(8|9)|\\b(and|or)\\b.+?(>|<|=|\\bin\\b|\\blike\\b)|\\/\\*.+?\\*\\/|<\\s*script\\b|\\bEXEC\\b|UNION.+?SELECT|UPDATE.+?SET|INSERT\\s+INTO.+?VALUES|(SELECT|DELETE).+?FROM|(CREATE|ALTER|DROP|TRUNCATE)\\s+(TABLE|DATABASE)"; $postfilter="^\\+\/v(8|9)|\\b(and|or)\\b.{1,6}?(=|>|<|\\bin\\b|\\blike\\b)|\\/\\*.+?\\*\\/|<\\s*script\\b|\\bEXEC\\b|UNION.+?SELECT|UPDATE.+?SET|INSERT\\s+INTO.+?VALUES|(SELECT|DELETE).+?FROM|(CREATE|ALTER|DROP|TRUNCATE)\\s+(TABLE|DATABASE)"; $cookiefilter="\\b(and|or)\\b.{1,6}?(=|>|<|\\bin\\b|\\blike\\b)|\\/\\*.+?\\*\\/|<\\s*script\\b|\\bEXEC\\b|UNION.+?SELECT|UPDATE.+?SET|INSERT\\s+INTO.+?VALUES|(SELECT|DELETE).+?FROM|(CREATE|ALTER|DROP|TRUNCATE)\\s+(TABLE|DATABASE)"; function StopAttack($StrFiltKey,$StrFiltValue,$ArrFiltReq){ $StrFiltValue=arr_foreach($StrFiltValue); if (preg_match("/".$ArrFiltReq."/is",$StrFiltValue)==1){ $str = "操作IP: ".$_SERVER["REMOTE_ADDR"]."\t操作时间: ".date('Y-m-d H:i:s')."\t操作页面:".$_SERVER["PHP_SELF"]."\t提交方式: ".$_SERVER["REQUEST_METHOD"]."\t提交参数: ".$StrFiltKey."\t提交数据: ".$StrFiltValue.LF; write_file(PHPDISK_ROOT.'system/defend_log.php',$str,'ab+'); print "<div style=\"position:fixed;top:0px;width:100%;height:100%;background-color:white;color:green;font-weight:bold;border-bottom:5px solid #999;\"><br>您的提交带有不合法参数!<br><br></div>"; exit(); } if (preg_match("/".$ArrFiltReq."/is",$StrFiltKey)==1){ $str = "操作IP: ".$_SERVER["REMOTE_ADDR"]."\t操作时间: ".date('Y-m-d H:i:s')."\t操作页面:".$_SERVER["PHP_SELF"]."\t提交方式: ".$_SERVER["REQUEST_METHOD"]."\t提交参数: ".$StrFiltKey."\t提交数据: ".$StrFiltValue.LF; write_file(PHPDISK_ROOT.'system/defend_log.php',$str,'ab+'); print "<div style=\"position:fixed;top:0px;width:100%;height:100%;background-color:white;color:green;font-weight:bold;border-bottom:5px solid #999;\"><br>您的提交带有不合法参数!<br><br></div>"; exit(); } } //$ArrPGC=array_merge($_GET,$_POST,$_COOKIE); foreach($_GET as $key=>$value){ StopAttack($key,$value,$getfilter); } foreach($_POST as $key=>$value){ StopAttack($key,$value,$postfilter); } foreach($_COOKIE as $key=>$value){ StopAttack($key,$value,$cookiefilter); } foreach($referer as $key=>$value){ StopAttack($key,$value,$getfilter); } function arr_foreach($arr) { static $str; if (!is_array($arr)) { return $arr; } foreach ($arr as $key => $val ) { if (is_array($val)) { arr_foreach($val); } else { $str[] = $val; } } return implode($str); } ?>