001002003004005006007008009010011012013014015016017018019020021022023024025026027028029030031032033034035036037038039040041042043044045046047048049050051052053054055056057058059060061062063064065066067068069070071072073074075076077078079080081082083084085086087088089090091092093094095
<?php // (2020.12.19, 차재복, Cha Jae Bok, cjbword@gmailcom) // 긴 쿼리 스트링이면 무조건 거부 (해킹 의심 기록 및 과도 접근 거부) $qry_str_len = strlen($_SERVER['QUERY_STRING']); if ($qry_str_len>140) { mysqli_query($dbi,"insert into hacked (ip,time,stop_time,qry_len,number,filename) values ('".$_SERVER['REMOTE_ADDR']."',now(),now(),$qry_str_len,1,'".$_SERVER[SCRIPT_NAME]."') on duplicate key update stop_time=now(),number=number+1,reject=if((number>5 and minute(stop_time-time)<1) or (number>15),1,0)"); if (mysqli_errno($dbi)) {echo mysqli_errno($dbi)." : ".mysqli_error($dbi)."\n";} exit; } // echo $_SERVER['QUERY_STRING'].' : '.$qry_str_len; /* anti_hack($dbi); // 해킹 의심 기록 및 과도 접근 거부 function anti_hack($db_unkonown) { $qry_str_len=strlen($_SERVER['QUERY_STRING']); echo gettype($db_unkonown); echo (gettype($db_unkonown)=='object' ? 'mysqli' : 'mysql'); if(gettype($db_unkonown)=='resource') { $db=$db_unkonown; if ($qry_str_len>140) { $h_result=mysql_query("select * from dict.hacked where ip='".$_SERVER['REMOTE_ADDR']."'",$db); if (mysql_errno()) {echo mysql_errno()." : ".mysql_error()."\n";} $h_matched=mysql_fetch_assoc($h_result); if ($h_matched[reject]==1) exit; // hacked!!! mysql_query("insert into dict.hacked (ip,time,stop_time,qry_len,number,filename) values ('".$_SERVER['REMOTE_ADDR']."',now(),now(),$qry_str_len,1,'".$_SERVER[SCRIPT_NAME]."') on duplicate key update stop_time=now(),number=number+1,reject=if((number>7 and minute(stop_time-time)<1) or (number>30),1,0)",$db); if (mysql_errno()) {echo mysql_errno()." : ".mysql_error()."\n";} } } else if(gettype($db_unkonown)=='object') { $dbi=$db_unkonown; if ($qry_str_len>140) { $h_result=mysqli_query($dbi,"select * from dict.hacked where ip='".$_SERVER['REMOTE_ADDR']."'"); if (mysqli_errno($dbi)) {echo mysqli_errno($dbi)." : ".mysqli_error($dbi)."\n";} $h_matched=mysqli_fetch_assoc($h_result); if ($h_matched[reject]==1) exit; // hacked!!! mysqli_query($dbi,"insert into dict.hacked (ip,time,stop_time,qry_len,number,filename) values ('".$_SERVER['REMOTE_ADDR']."',now(),now(),$qry_str_len,1,'".$_SERVER[SCRIPT_NAME]."') on duplicate key update stop_time=now(),number=number+1,reject=if((number>7 and minute(stop_time-time)<1) or (number>30),1,0)"); if (mysqli_errno($dbi)) {echo mysqli_errno($dbi)." : ".mysqli_error($dbi)."\n";} } } } */ // 매개변수 확인 및 전달 매개변수를 변수에 대입 // $m_temp1 = $_REQUEST[m_temp1]; $m_temp1 = ( isset($_REQUEST['m_temp1']) ? $_REQUEST['m_temp1'] : ( isset($_REQUEST['no']) ? $_REQUEST['no'] : null ) ); if ($_REQUEST['mode'] == 'super_edit') $mode='super_edit'; $m_word=$_REQUEST['m_word']; $m_detail=$_REQUEST['m_detail']; $m_id=$_REQUEST['m_id']; if ($m_id < 0) exit; // 해킹방지 $m_id = substr($m_id,0,10); // 해킹 방지, 글자 수 제한 $action = $_REQUEST['action']; $node_action = $_REQUEST['node_action']; $m_text = $_REQUEST['m_text']; $m_opt=$_REQUEST['opt']; $m_search = ( ! empty($_REQUEST['m_search']) ? $_REQUEST['m_search'] : $_REQUEST['sh'] ); $act = $_REQUEST['act']; $gita_choice = $_REQUEST['gita_choice']; $choiced = $_REQUEST['choiced']; $nav=$_REQUEST['nav']; $id = $_REQUEST['id']; if ( !empty($id) ) $cur_id = $id; // 각 변수별로 해킹 방지 // echo "<br>".$m_temp1."<br>"; if (isset($m_temp1) and !empty($m_temp1) and !is_numeric($m_temp1)) exit; // 해킹방지 $m_temp1 = substr($m_temp1,0,8); // 해킹방지, 숫자 제한 $m_temp1 = str_replace('.','',$m_temp1); // 해킹방지 if (isset($id) and !empty($id) and !is_numeric($id) or $id<0) exit; // 해킹방지 $id = substr($id,0,10); // 해킹 방지, 글자 수 제한 if (isset($nav) and !empty($nav) and !is_numeric($nav)) exit; // 해킹방지 $nav = substr($nav,0,10); // 해킹 방지, 글자 수 제한 if ($m_search < 0) exit; // 해킹방지 if(strlen($m_search)>70) exit; // 해킹방지 (글자 수 많으면 종료) $m_search = str_replace('\\',' ',$m_search); // 해킹 방지 (\ 제한) $m_search = str_replace('/..',' ',$m_search); // 해킹 방지 (/.. 제한) $m_search = substr($m_search,0,55); // 해킹 방지 (글자 수 제한) if (strlen($mgid)>10) exit; // 해킹방지 ?>