 Lid |
|
Hallo,
Ik heb in de loop van de tijd diverse beveiligingen aangebracht op mijn website. Het is een site die werkt met index.php?pagina=......
Om te ondervangen als men de URL wijzigt, gebruik ik:
// Veiligheids check
$paginatest = "(http:|ftp:|shttp: |https: |www.|.php|.cgi|.asp)";
if(eregi($paginatest, $pagina)) { $pagina = "main"; }
// Veiligheidscheck 2
$pagina_inc = $pagina . ".php";
if (!file_exists($pagina_inc)) { $pagina = "main"; }
// Veiligheids check $paginatest = "(http:|ftp:|shttp: |https: |www.|.php|.cgi|.asp)"; if(eregi($paginatest, $pagina)) { $pagina = "main"; } // Veiligheidscheck 2 $pagina_inc = $pagina . ".php";
Om Mysql injection te voorkomen, haal ik alles wat de DB ingaat door de volgende filter:
function filter($text){
//transformeert eerst de "goede" tags naar hun bb versie, zodat ze door het strip_tags filter niet aangetast worden.
$text = preg_replace("(<img src=\"(.+?)\" border=\"0\">)", "\[img\]$1\[/img\]", $text);
$text = preg_replace("(<b>(.+?)</b>)", "\[b\]$1\[/b\]", $text);
$text = preg_replace("(<u>(.+?)</u>)", "\[u\]$1\[/u\]", $text);
$text = preg_replace("(<i>(.+?)</i>)", "\[i\]$1\[/i\]", $text);
$text = preg_replace("(<strike>(.+?)</strike>)", "\[s\]$1\[/s\]", $text);
$text = preg_replace("(<div align=\"left\">(.+?)</div>)", "\[left\]$1\[/left\]", $text);
$text = preg_replace("(<div align=\"right\">(.+?)</div>)", "\[right\]$1\[/right\]", $text);
$text = preg_replace("(<center>(.+?)</center>)", "\[center\]$1\[/center\]", $text);
$text = eregi_replace("<font color=\"([^\\[]*)\">([^\\[]*)</font>","\\[color=\\1\\]\\2\\[/color\\]",$text);
$text = eregi_replace("<font size=\"([^\\[]*)\">([^\\[]*)</font>","\\[size=\\1\\]\\2\\[/size\\]",$text);
$text = eregi_replace("<a href=\"mailto:([^\\[]*)\">([^\\[]*)</a>","\\[email=\\1\\]\\2\\[/email\\]",$text);
$text = eregi_replace("<a href=\"([^\\[]*)\" target=\"_blank\">([^\\[]*)</a>","\\[url=\\1\\]\\2\\[/url\\]",$text);
$text = preg_replace("(<marquee>(.+?)</marquee>)","\[move\]$1\[/move\]", $text);
$text = strip_tags($text);
$text = htmlentities($text, ENT_QUOTES);
$text = addslashes($text);
return $text;
}
function filter($text){ //transformeert eerst de "goede" tags naar hun bb versie, zodat ze door het strip_tags filter niet aangetast worden. $text = preg_replace("(<img src=\"(.+?)\" border=\"0\">)", "\[img\]$1\[/img\]", $text); $text = preg_replace("(<b>(.+?)</b>)", "\[b\]$1\[/b\]", $text); $text = preg_replace("(<u>(.+?)</u>)", "\[u\]$1\[/u\]", $text); $text = preg_replace("(<i>(.+?)</i>)", "\[i\]$1\[/i\]", $text); $text = preg_replace("(<strike>(.+?)</strike>)", "\[s\]$1\[/s\]", $text); $text = preg_replace("(<div align=\"left\">(.+?)</div>)", "\[left\]$1\[/left\]", $text); $text = preg_replace("(<div align=\"right\">(.+?)</div>)", "\[right\]$1\[/right\]", $text); $text = preg_replace("(<center>(.+?)</center>)", "\[center\]$1\[/center\]", $text); $text = eregi_replace("<font color=\"([^\\[]*)\">([^\\[]*)</font>","\\[color=\\1\\]\\2\\[/color\\]",$text); $text = eregi_replace("<font size=\"([^\\[]*)\">([^\\[]*)</font>","\\[size=\\1\\]\\2\\[/size\\]",$text); $text = eregi_replace("<a href=\"mailto:([^\\[]*)\">([^\\[]*)</a>","\\[email=\\1\\]\\2\\[/email\\]",$text); $text = eregi_replace("<a href=\"([^\\[]*)\" target=\"_blank\">([^\\[]*)</a>","\\[url=\\1\\]\\2\\[/url\\]",$text); $text = preg_replace("(<marquee>(.+?)</marquee>)","\[move\]$1\[/move\]", $text); return $text; }
En ergens heb ik ooit iets opgepikt dat zou moeten helpen tegen cross site scripting:
// Metatags van $_POST en $_GET filteren i.v.m. cross site scripting
if(sizeof($_GET) > 1) {
foreach($_GET as $post => $waarde) {
$_GET[$post] = trim(strip_tags($waarde));
}
}
if(sizeof($_POST) > 1) {
foreach($_POST as $post => $waarde) {
$_POST[$post] = trim(strip_tags($waarde));
}
}
if(sizeof($_SESSION) > 1) {
foreach($_SESSION as $post => $waarde) {
$_SESSION[$post] = trim(strip_tags($waarde));
}
}
// Metatags van $_POST en $_GET filteren i.v.m. cross site scripting foreach($_GET as $post => $waarde) { } } foreach($_POST as $post => $waarde) { } } foreach($_SESSION as $post => $waarde) { } }
Graag zou ik eens de mening van jullie als experts hebben of ik hiermee mijn site veilig heb.
Tips wat beter kan welkom.
Alvast bedankt
|
Wat is jouw favoriete javascript framework? (S: 18, R: 2)
Gesponsorde links
Actiefste leden van de maand
