防止sql注入

mysql_real_escape_string方法

http://www.w3school.com.cn/php/func_mysql_real_escape_string.asp



//过滤REQUEST串
function checkurl (){
    $words = array();
    $words[] = " add ";
    $words[] = " count ";
    $words[] = " create ";
    $words[] = " delete ";
    $words[] = " drop ";
    $words[] = " from ";
    $words[] = " grant ";
    $words[] = " insert ";
    $words[] = " select ";
    $words[] = " truncate ";
    $words[] = " update ";
    $words[] = " use ";
    $words[] = "-- ";
    foreach($_REQUEST as $strGot) {
        $strGot = strtolower($strGot);
        foreach($words as $word) {
            if (strstr($strGot, $word)) {
                echo "您输入的内容含有非法字符！";
                exit; 
            }
        }
    }
}
checkurl();//包含SQL断开


/*防注入处理*/
$_GET = sec ( $_GET ); 
$_POST = sec ( $_POST ); 
function sec(&$array) { 
    //如果是数组，遍历数组，递归调用 
    if (is_array ( $array )) { 
        foreach ( $array as $k => $v ) { 
            $array [$k] = sec ( $v ); 
        } 
    } else if (is_string ( $array )) { 
        $array = str_check ( $array ); 
    } else if (is_numeric ( $array )) { 
        $array = intval ( $array ); 
    } 
    return $array; 
} 
//字符过滤函数 
function str_check($str) { 
    if (inject_check ( $str )) { 
    die ( '非法参数' ); 
    } 
    //使用addslashes函数来处理 
    $str = addslashes ( $str ); 
    //注入判断 
    $str = htmlspecialchars ( $str ); 
    //转换html 
    return $str; 
} 
//防注入函数 
function inject_check($sql_str) { 
    return eregi ( 'select|inert|update|delete|\'|\/\*|\*|\.\.\/|\.\/|UNION|into|load_file|outfile', $sql_str ); 
} 
function stripslashes_array(&$array) { 
    if (is_array ( $array )) { 
        foreach ( $array as $k => $v ) { 
        $array [$k] = stripslashes_array ( $v ); 
        } 
    } else if (is_string ( $array )) { 
        $array = stripslashes ( $array ); 
    } 
    return $array; 
}