This is a PHP-based firewall program that blocks SQL injection and XSS attacks without server support
The installation
composer require xielei/waf
Copy the codeDirections for use
$waf = new \Xielei\Waf\Waf();
$waf->run();
Copy the codeCustom interception rules
$rules = [
'/. \ \..// Disable the inclusion of.. The parameters of the /
'\ < \? '.// Disable PHP scripts
'\s*or\s+.*=.*'.// match 'or 1=1' to prevent SQL injection
'select([\s\S]*?) (from|limit)'.// Prevent SQL injection
'(? :(union([\s\S]*?) select))'.// Prevent SQL injection
'having|updatexml|extractvalue'.// Prevent SQL injection
'sleep\((\s*)(\d*)(\s*)\)'.// Prevent SQL blind annotation
'benchmark\((.*)\,(.*)\)'.// Prevent SQL blind annotation
'base64_decode\('.// Prevent SQL variant injection
'(? :from\W+information_schema\W)'.// Prevent SQL injection
'(? : (? :current_)user|database|schema|connection_id)\s*\('.// Prevent SQL injection
'(? :etc\/\W*passwd)'.// Prevent snooping on Linux user information
'into(\s+)+(? :dump|out)file\s*'.// Disable the mysql export function
'group\s+by.+\('.// Prevent SQL injection
'(? :define|eval|file_get_contents|include|require|require_once|shell_exec|phpinfo|system|passthru|preg_\w+|execute|echo|pri nt|print_r|var_dump|(fp)open|alert|showmodaldialog)\('.// Disable some webshell-related functions
'(gopher|doc|php|glob|file|phar|zlib|ftp|ldap|dict|ogg|data)\:\/'.// Prevent some protocol attacks
'\$_(GET|post|cookie|files|session|env|phplib|GLOBALS|SERVER)\['.// Disable some built-in variables. You are advised to modify them yourself
'\<(iframe|script|body|img|layer|div|meta|style|base|object|input)'.// Prevent XSS tag implantation
'(onmouseover|onerror|onload|onclick)\='.// Prevent XSS event implantation
'\ | the \ |. * (? :ls|pwd|whoami|ll|ifconfog|ipconfig|&&|chmod|cd|mkdir|rmdir|cp|mv)'.// Prevent shell execution
'\s*and\s+.*=.*' // match and 1=1
];
$waf = new \Xielei\Waf($rules);
$waf->run();
Copy the codeCustom blocking page
$waf = new \Xielei\Waf\Waf();
if(!$waf->check()){
echo 'Illegal request';
die;
}
Copy the codeOpen source address
github.com/xielei/waf