Yii框架防止sql注入，xss攻击与csrf攻击的方法

本文实例讲述了Yii框架防止sql注入，xss攻击与csrf攻击的方法。分享给大家供大家参考，具体如下：

PHP中常用到的方法有：

									/* 防sql注入,xss攻击 (1)*/

									function actionClean($str)

									{

									    $str=trim($str);

									    $str=strip_tags($str);

									    $str=stripslashes($str);

									    $str=addslashes($str);

									    $str=rawurldecode($str);

									    $str=quotemeta($str);

									    $str=htmlspecialchars($str);

									    //去除特殊字符

									    $str=preg_replace("/\/|\~|\!|\@|\#|\\$|\%|\^|\&|\*|\(|\)|\_|\+|\{|\}|\:|\<|\>|\?|\[|\]|\,|\.|\/|\;|\'|\`|\-|\=|\\\|\|/", "" , $str);

									    $str=preg_replace("/\s/", "", $str);//去除空格、换行符、制表符

									    return $str;

									}

									//防止sql注入。xss攻击(1)

									public function actionFilterArr($arr)

									{

									    if(is_array($arr)){

									      foreach($arr as $k => $v){

									        $arr[$k] = $this->actionFilterWords($v);

									      }

									    }else{

									      $arr = $this->actionFilterWords($arr);

									    }

									    return $arr;

									}

									//防止xss攻击

									public function actionFilterWords($str)

									{

									    $farr = array(

									      "/<(\\/?)(script|i?frame|style|html|body|title|link|meta|object|\\?|\\%)([^>]*?)>/isU",

									      "/(<[^>]*)on[a-zA-Z]+\s*=([^>]*>)/isU",

									      "/select|insert|update|delete|drop|\'|\/\*|\*|\+|\-|\"|\.\.\/|\.\/|union|into|load_file|outfile|dump/is"

									    );

									    $str = preg_replace($farr,'',$str);

									    return $str;

									}

									//防止sql注入,xss攻击(2)

									public function post_check($post) {

									   if(!get_magic_quotes_gpc()) {

									     foreach($post as $key=>$val){

									       $post[$key] = addslashes($val);

									     }

									    }

									   foreach($post as $key=>$val){

									    //把"_"过滤掉

									    $post[$key] = str_replace("_", "\_", $val);

									    //把"%"过滤掉

									    $post[$key] = str_replace("%", "\%", $val); //sql注入

									    $post[$key] = nl2br($val);

									    //转换html

									    $post[$key] = htmlspecialchars($val); //xss攻击

									   }

									   return $post;

									}

调用：

									//防止sql

									$post=$this->post_check($_POST);

									//var_dump($post);die;

									$u_name=trim($post['u_name']);

									$pwd=trim($post['pwd']);

									if(empty($u_name)||empty($pwd))

									{

									  exit('字段不能非空');

									}

									$u_name=$this->actionFilterArr($u_name);

									$pwd=$this->actionFilterArr($pwd);

									//防止sql注入，xss攻击

									$u_name=$this->actionClean(Yii::$app->request->post('u_name'));

									$pwd=$this->actionClean(Yii::$app->request->post('pwd'));

									$email=$this->actionClean(Yii::$app->request->post('email'));

									//防止csrf攻击

									$session=Yii::$app->session;

									$csrf_token=md5(uniqid(rand(),TRUE));

									$session->set('token',$csrf_token);

									$session->set('token',time());

									//接收数据

									if($_POST)

									{

									  if(empty($session->get('token')) && $session->get('token')!=Yii::$app->request->post('token') && (time()-$session->get('token_time'))>30){

									    exit('csrf攻击');

									  }

									  //防止sql

									  .....