/**
* sql注入过滤
* @param $string 需要校验的字符
* @param $type get post cookie
*/
public function sqlFilter($string,$type){
$getfilter="/^'|(and|or)\\b.+?(>|<|=|in|like)|\\/\\*.+?\\*\\/|<\\s*script\\b|\\bEXEC\\b|UNION.+?SELECT|UPDATE.+?SET|INSERT\\s+INTO.+?VALUES|(SELECT|DELETE).+?FROM|(CREATE|ALTER|DROP|TRUNCATE)\\s+(TABLE|DATABASE)$/i";
$postfilter="/^\\b(and|or)\\b.{1,6}?(=|>|<|\\bin\\b|\\blike\\b)|\\/\\*.+?\\*\\/|<\\s*script\\b|\\bEXEC\\b|UNION.+?SELECT|UPDATE.+?SET|INSERT\\s+INTO.+?VALUES|(SELECT|DELETE).+?FROM|(CREATE|ALTER|DROP|TRUNCATE)\\s+(TABLE|DATABASE)$/i";
$cookiefilter="/^\\b(and|or)\\b.{1,6}?(=|>|<|\\bin\\b|\\blike\\b)|\\/\\*.+?\\*\\/|<\\s*script\\b|\\bEXEC\\b|UNION.+?SELECT|UPDATE.+?SET|INSERT\\s+INTO.+?VALUES|(SELECT|DELETE).+?FROM|(CREATE|ALTER|DROP|TRUNCATE)\\s+(TABLE|DATABASE)$/i";
switch($type){
case 'post':
if(preg_match($postfilter,$string)){
die(json_encode(array('msg'=>'data valid')));
}
break;
case 'get':
if(preg_match($getfilter,$string)){
die(json_encode(array('msg'=>'data valid')));
}
break;
case 'cookie':
if(preg_match($cookiefilter,$string)){
die(json_encode(array('msg'=>'data valid')));
}
break;
}
if (!get_magic_quotes_gpc()) {
$string = stripslashes($string);
}
// $string = mysql_real_escape_string ($string); //\x00 \n \r \' " \x1a
$string = addslashes($string);
$string = nl2br($string); // 回车转换
$string= htmlspecialchars($string); // html标记转换
return $string;
}
