防止sql注入
mysql_real_escape_string方法
http://www.w3school.com.cn/php/func_mysql_real_escape_string.asp
//过滤REQUEST串
function checkurl (){
$words = array();
$words[] = " add ";
$words[] = " count ";
$words[] = " create ";
$words[] = " delete ";
$words[] = " drop ";
$words[] = " from ";
$words[] = " grant ";
$words[] = " insert ";
$words[] = " select ";
$words[] = " truncate ";
$words[] = " update ";
$words[] = " use ";
$words[] = "-- ";
foreach($_REQUEST as $strGot) {
$strGot = strtolower($strGot);
foreach($words as $word) {
if (strstr($strGot, $word)) {
echo "您输入的内容含有非法字符!";
exit;
}
}
}
}
checkurl();//包含SQL断开
/*防注入处理*/
$_GET = sec ( $_GET );
$_POST = sec ( $_POST );
function sec(&$array) {
//如果是数组,遍历数组,递归调用
if (is_array ( $array )) {
foreach ( $array as $k => $v ) {
$array [$k] = sec ( $v );
}
} else if (is_string ( $array )) {
$array = str_check ( $array );
} else if (is_numeric ( $array )) {
$array = intval ( $array );
}
return $array;
}
//字符过滤函数
function str_check($str) {
if (inject_check ( $str )) {
die ( '非法参数' );
}
//使用addslashes函数来处理
$str = addslashes ( $str );
//注入判断
$str = htmlspecialchars ( $str );
//转换html
return $str;
}
//防注入函数
function inject_check($sql_str) {
return eregi ( 'select|inert|update|delete|\'|\/\*|\*|\.\.\/|\.\/|UNION|into|load_file|outfile', $sql_str );
}
function stripslashes_array(&$array) {
if (is_array ( $array )) {
foreach ( $array as $k => $v ) {
$array [$k] = stripslashes_array ( $v );
}
} else if (is_string ( $array )) {
$array = stripslashes ( $array );
}
return $array;
}
posted on 2016-04-26 17:26 lansedongqing 阅读(229) 评论(0) 编辑 收藏 举报