8.20 web网站安全
前些天由于短信接口没有机密,遭到了无聊人士的攻击,不停地掉接口发短信。给我们敲了警钟,应该注意网站安全了。
1.重要接口的加密处理(hash通过验证码来产生)
2.对ip、手机号等数据做限制
function getMobileCount($mobile, $time = 1) { if ($time == 1) { $time = strtotime(date("Y-m-d")); } $sql = "select count(*) AS total from table_log where mobile='$mobile' and created_at>'$time'"; $result = M("table_log")->query($sql); return $result[0]['total']; } function getMobileCountByIP($ip) { $time = strtotime(date("Y-m-d")); $sql = "select count(*) AS total from table_log where ip='$ip' and created_at>'$time'"; $result = M("table_log")->query($sql); return $result[0]['total']; }
3.GET、POST数据过滤,去除可能产生sql注入和跨站请求的数据(360safe的方法可用)
$getfilter = "'|(and|or)\\b.+?(>|<|=|in|like)|\\/\\*.+?\\*\\/|<\\s*script\\b|\\bEXEC\\b|UNION.+?SELECT|UPDATE.+?SET|INSERT\\s+INTO.+?VALUES|(SELECT|DELETE).+?FROM|(CREATE|ALTER|DROP|TRUNCATE)\\s+(TABLE|DATABASE)"; $postfilter = "\\b(and|or)\\b.{1,6}?(=|>|<|\\bin\\b|\\blike\\b)|\\/\\*.+?\\*\\/|<\\s*script\\b|\\bEXEC\\b|UNION.+?SELECT|UPDATE.+?SET|INSERT\\s+INTO.+?VALUES|(SELECT|DELETE).+?FROM|(CREATE|ALTER|DROP|TRUNCATE)\\s+(TABLE|DATABASE)"; $cookiefilter = "\\b(and|or)\\b.{1,6}?(=|>|<|\\bin\\b|\\blike\\b)|\\/\\*.+?\\*\\/|<\\s*script\\b|\\bEXEC\\b|UNION.+?SELECT|UPDATE.+?SET|INSERT\\s+INTO.+?VALUES|(SELECT|DELETE).+?FROM|(CREATE|ALTER|DROP|TRUNCATE)\\s+(TABLE|DATABASE)"; foreach ($_GET as $key => $value) { StopAttack($key, $value, $getfilter); } foreach ($_POST as $key => $value) { StopAttack($key, $value, $postfilter); } foreach ($_COOKIE as $key => $value) { StopAttack($key, $value, $cookiefilter); } /* * 360安全防护,防sql注入 */ function StopAttack($StrFiltKey, $StrFiltValue, $ArrFiltReq) { if (is_array($StrFiltValue)) { $StrFiltValue = implode($StrFiltValue); } if (preg_match("/" . $ArrFiltReq . "/is", $StrFiltValue) == 1) { print "notice:Illegal operation!"; exit(); } }
4.页面和页面间的衔接,如果是跳过访问一个页面,应该限制,也要对参数进行符合条件的限制判断。
浙公网安备 33010602011771号