This is a PHP-based firewall program that blocks SQL injection and XSS attacks without server support

The installation

composer require xielei/waf
Copy the code

Directions for use

$waf = new \Xielei\Waf\Waf();
$waf->run();
Copy the code

Custom interception rules

$rules = [
    '/. \ \..// Disable the inclusion of.. The parameters of the /
    '\ < \? '.// Disable PHP scripts
    '\s*or\s+.*=.*'.// match 'or 1=1' to prevent SQL injection
    'select([\s\S]*?) (from|limit)'.// Prevent SQL injection
    '(? :(union([\s\S]*?) select))'.// Prevent SQL injection
    'having|updatexml|extractvalue'.// Prevent SQL injection
    'sleep\((\s*)(\d*)(\s*)\)'.// Prevent SQL blind annotation
    'benchmark\((.*)\,(.*)\)'.// Prevent SQL blind annotation
    'base64_decode\('.// Prevent SQL variant injection
    '(? :from\W+information_schema\W)'.// Prevent SQL injection
    '(? : (? :current_)user|database|schema|connection_id)\s*\('.// Prevent SQL injection
    '(? :etc\/\W*passwd)'.// Prevent snooping on Linux user information
    'into(\s+)+(? :dump|out)file\s*'.// Disable the mysql export function
    'group\s+by.+\('.// Prevent SQL injection
    '(? :define|eval|file_get_contents|include|require|require_once|shell_exec|phpinfo|system|passthru|preg_\w+|execute|echo|pri nt|print_r|var_dump|(fp)open|alert|showmodaldialog)\('.// Disable some webshell-related functions
    '(gopher|doc|php|glob|file|phar|zlib|ftp|ldap|dict|ogg|data)\:\/'.// Prevent some protocol attacks
    '\$_(GET|post|cookie|files|session|env|phplib|GLOBALS|SERVER)\['.// Disable some built-in variables. You are advised to modify them yourself
    '\<(iframe|script|body|img|layer|div|meta|style|base|object|input)'.// Prevent XSS tag implantation
    '(onmouseover|onerror|onload|onclick)\='.// Prevent XSS event implantation
    '\ | the \ |. * (? :ls|pwd|whoami|ll|ifconfog|ipconfig|&&|chmod|cd|mkdir|rmdir|cp|mv)'.// Prevent shell execution
    '\s*and\s+.*=.*' // match and 1=1
];
$waf = new \Xielei\Waf($rules);
$waf->run();
Copy the code

Custom blocking page

$waf = new \Xielei\Waf\Waf();
if(!$waf->check()){
    echo 'Illegal request';
    die;
}
Copy the code

Open source address

github.com/xielei/waf