public static function checkSQLParam($data){
$arrSensetive = array("'", ";", "<>", "delete",
"update ", "modify ", "drop ", "truncate ", "restore ", "backup ", "char", "chr(0)",
"declare ", "procedure ", "commit", "exec ","jscript", "javascript", "vbscript", "script", "iframe", "extractvalue","sleep","&","*","prompt","sCrIpT","and","`","~","!","@","#","$","%","^","(",")","+","=","|","{","}",":",";","[","]",".","<",">","?","~","!","#","¥","%","…","TITLE","INPUT","div","style","confirm","prompt","oNmOuSeOvEr","oncopy","oncut","document","svg","onload","onerror","object","onbeforeload","html","onMouseMove");
if(!is_array($data)){
$data = json_decode($data, true);
}
if(is_array($data)) {
foreach ($data as $k => $v) {
foreach ($arrSensetive as $w) {
if (is_array($v)) {
$v = json_encode($v);
}
if (stripos(strtolower($v), $w) !== false) {
yii::pushlog('包含非法请求参数|' . json_encode($data));
yii::pushlog('包含非法请求参数1|' . $v.'|'. $w);
throw new \yii\web\HttpException(401, '包含非法请求参数');
// Yii::$app->getResponse()->setStatusCode(401);
// Yii::$app->getResponse()->format = yii\web\Response::FORMAT_JSON;
// return json_encode(array(
// 'msg' => '包含非法请求参数',
// 'err' => '401'
// ));
}
}
}
}
}
预防SQL注入及XSS攻击
于 2023-01-30 16:05:02 首次发布