1.
$rfi_attack = array("../","./","etc/passwd","%00","http://","ftp://","://","data:");
NULL, ne prokatit. Ty zhe uzhe razkodiroval stroku
$request=urldecode($request);
chtoby nayti null - ne "%00", a "\x00" nuzhno ispolzovat.
2.
$xss_attack = array("<script","</script>","location.href","document.cookie","src=", ".js","http://","alert(","%3E","%3C");
eto ochen specificheskiy massiv. Est okolo sotni raznovidnostey raznogo roda XSS, v tegi mozhno vstavlat HTML commentarii /***/, tak chto etot massiv nuzhno polnostye izmenyat i ispolzovat regexpy, esli hochesh horoshuyu zashitu.
3.
$rfi_attack = array("../","./","etc/passwd","%00","http://","ftp://","://","data:");
gde smysl "http://","ftp://","://" ? dostatochno ved odnogo "://"
4.
strstr uchityvaet registr simvolov. Vse tvoi massivy mozhno oboyti, zameniv hot odnu bukvu na zaglavnuyu.
ispolzuy
stristr togda uzhe.
5.
htmlspecialchars($_SERVER['HTTP_REFERER'])
V
htmlspecialchars est baga, kotoraya mozhet polozhit tvoy server, esli PHP <= 4.3
6.
function split_req($s){$s=explode("&",$s);return($s);}
v vozvrate ostanutsa ampersandy &. Eto ne smertelno, no na budushee.