我有这个PHP代码,用于Wordpress插件。如何防止用户代理恶意代码注入?我添加了
if (preg_match('/script/',$agent)) {
$agent = preg_replace('#<script(.*?)>(.*?)</script>#is', '', $agent);
仅用于防止javascript恶意代码,但对其他攻击不够。有人建议我在显示时对html实体进行编码,但我不知道如何。有人可以帮帮我吗?
<?php
class Browser{
public $Name = "Unknown";
public $Version = "";
public $Platform = "Unknown";
public $Pver = "";
public $Agent = "Not reported";
public $AOL = false;
public $Image = "";
public $Architecture = "";
public function Browser($agent){
// initialize properties
$bd['platform'] = "Unknown";
$bd['pver'] = "";
$bd['browser'] = "Unknown";
$bd['version'] = "";
$this->Agent = $agent;
// echo $agent;
// fl3r: previene hack da iniezione codice nello user agent
if (preg_match('/script/',$agent)) {
$agent = preg_replace('#<script(.*?)>(.*?)</script>#is', '', $agent);
$bd['platform'] = "Defended";
$bd['browser'] = "Defended";
$agent = 'Defended';
}
// fl3r: sistemi operativi
if (stripos($agent,'win'))
{
$bd['platform'] = "Windows";
if(stripos($agent,'Windows 3.1'))
$val = '3.1';
elseif(stripos($agent,'Win16'))
$val = '3.11';
elseif(stripos($agent,'Windows 95'))
$val = '95';
elseif(stripos($agent,'Win95'))
$val = '95';
elseif(stripos($agent,'Windows_95'))
$val = '95';
elseif(stripos($agent,'Windows 98'))
$val = '98';
elseif(stripos($agent,'Win98'))
$val = '98';
elseif(stripos($agent,'Windows ME'))
$val = 'ME';
elseif(stripos($agent,'Windows NT 4.0'))
$val = 'NT';
elseif(stripos($agent,'WinNT4.0'))
$val = 'NT';
elseif(stripos($agent,'WinNT'))
$val = 'NT';
//elseif(stripos($agent,'Windows NT'))
//$val = 'NT';
elseif(stripos($agent,'Windows 2000'))
$val = '2000';
elseif(stripos($agent,'Windows NT 5.1'))
$val = 'XP';
elseif(stripos($agent,'Windows XP'))
$val = 'XP';
elseif(stripos($agent,'Windows NT 5.2'))
$val = 'Server 2003';
elseif(stripos($agent,'NT 5.2'))
$val = 'Server 2003';
elseif(stripos($agent,'Windows NT 6.0'))
$val = 'Vista';
elseif(stripos($agent,'Windows NT 6.1'))
$val = '7';
elseif(stripos($agent,'Windows NT 6.2'))
$val = '8';
elseif(stripos($agent,'Windows NT 6.3'))
$val = '8.1';
elseif(stripos($agent,'Windows NT 6.4'))
$val = '10';
elseif(stripos($agent,'Windows CE'))
$val = 'CE';
elseif(stripos($agent,'Windows CE 5.1'))
$val = 'CE';
elseif(stripos($agent,'WCE'))
$val = 'Mobile';
elseif(stripos($agent,'Windows Mobile'))
$val = 'Mobile';
elseif(stripos($agent,'Windows Phone'))
$val = 'Phone';
$bd['pver'] = $val;
}
// ios (os e browser)
elseif(preg_match('/iPad/i', $agent)){
$bd['browser']= 'Safari';
$bd['platform']="iPad";
if(preg_match('/CPU\ OS\ ([._0-9a-zA-Z]+)/i', $agent, $regmatch))
$bd['pver']=" iOS ".str_replace("_", ".", $regmatch[1]);
}elseif(preg_match('/iPod/i', $agent)){
$bd['browser']= 'Safari';
$bd['platform']="iPod";
if(preg_match('/iPhone\ OS\ ([._0-9a-zA-Z]+)/i', $agent, $regmatch))
$bd['pver']=" iOS ".str_replace("_", ".", $regmatch[1]);
}elseif(preg_match('/iPhone/i', $agent)){
$bd['browser']= 'Safari';
$bd['platform']="iPhone";
if(preg_match('/iPhone\ OS\ ([._0-9a-zA-Z]+)/i', $agent, $regmatch))
$bd['pver']=" iOS ".str_replace("_", ".", $regmatch[1]);
}
//其他代码在这里
////////////////////////////////////////////////// ////////////////////////////
// architettura x86/x64
if(stripos($agent,'x86_64')) {
$bd['architecture'] = "x86_64";
}
// fl3r: assegna le varie proprietà
$this->Name = $bd['browser'];
$this->Version = $bd['version'];
$this->Platform = $bd['platform'];
$this->Pver = $bd['pver'];
$this->AOL = $bd['aol'];
$this->Architecture = $bd['architecture'];
$this->Architecture = $bd['architecture'];
// fl3r: assegna immagini browser
$this->BrowserImage = strtolower($this->Name);
if($this->BrowserImage == "msie")
$this->BrowserImage .= '-'.$this->Version;
// snoopy
elseif(stripos($this->BrowserImage, "snoopy") === 0)
$this->BrowserImage = 'other';
// fl3r: assegna immagini os
$this->PlatformImage = strtolower($this->Platform);
if($this->PlatformImage == "linux mint")
$this->PlatformImage = "linux-mint";
if($this->PlatformImage == "fedora ")
$this->PlatformImage = "fedora";
if($this->PlatformImage == "windows")
$this->PlatformImage .= '-'.strtolower($this->Pver);
}
}
?>
答案 0 :(得分:1)
完全相同的方式你应该已经防止注入其他所有值。它特别是用户代理字符串是无关紧要的。将其写入HTML页面时,请将其传递给htmlspecialchars:echo htmlspecialchars($user_agent);。将它用作数据库查询的一部分时,请使用预准备语句或数据库API为您提供的任何转义函数。