防止sql注入
mysql_real_escape_string方法
http://www.w3school.com.cn/php/func_mysql_real_escape_string.asp
//过滤REQUEST串
function checkurl (){
$words = array();
$words[] = " add ";
$words[] = " count ";
$words[] = " create ";
$words[] = " delete ";
$words[] = " drop ";
$words[] = " from ";
$words[] = " grant ";
$words[] = " insert ";
$words[] = " select ";
$words[] = " truncate ";
$words[] = " update ";
$words[] = " use ";
$words[] = "-- ";
foreach($_REQUEST as $strGot) {
$strGot = strtolower($strGot);
foreach($words as $word) {
if (strstr($strGot, $word)) {
echo "您输入的内容含有非法字符!";
exit;
}
}
}
}
checkurl();//包含SQL断开
/*防注入处理*/
$_GET = sec ( $_GET );
$_POST = sec ( $_POST );
function sec(&$array) {
//如果是数组,遍历数组,递归调用
if (is_array ( $array )) {
foreach ( $array as $k => $v ) {
$array [$k] = sec ( $v );
}
} else if (is_string ( $array )) {
$array = str_check ( $array );
} else if (is_numeric ( $array )) {
$array = intval ( $array );
}
return $array;
}
//字符过滤函数
function str_check($str) {
if (inject_check ( $str )) {
die ( '非法参数' );
}
//使用addslashes函数来处理
$str = addslashes ( $str );
//注入判断
$str = htmlspecialchars ( $str );
//转换html
return $str;
}
//防注入函数
function inject_check($sql_str) {
return eregi ( 'select|inert|update|delete|\'|\/\*|\*|\.\.\/|\.\/|UNION|into|load_file|outfile', $sql_str );
}
function stripslashes_array(&$array) {
if (is_array ( $array )) {
foreach ( $array as $k => $v ) {
$array [$k] = stripslashes_array ( $v );
}
} else if (is_string ( $array )) {
$array = stripslashes ( $array );
}
return $array;
}
posted on 2016-04-26 17:26 lansedongqing 阅读(232) 评论(0) 编辑 收藏 举报
· go语言实现终端里的倒计时
· 如何编写易于单元测试的代码
· 10年+ .NET Coder 心语,封装的思维:从隐藏、稳定开始理解其本质意义
· .NET Core 中如何实现缓存的预热?
· 从 HTTP 原因短语缺失研究 HTTP/2 和 HTTP/3 的设计差异
· 使用C#创建一个MCP客户端
· 分享一个免费、快速、无限量使用的满血 DeepSeek R1 模型,支持深度思考和联网搜索!
· ollama系列1:轻松3步本地部署deepseek,普通电脑可用
· 基于 Docker 搭建 FRP 内网穿透开源项目(很简单哒)
· 按钮权限的设计及实现