Posted in PHP onApril 25, 2008
SQL防注入代码一
<?php /** * 防sql注入 * @author: zhuyubing@gmail.com * */ /** * reject sql inject */ if (!function_exists (quote)) { function quote($var) { if (strlen($var)) { $var=!get_magic_quotes_gpc() ? $var : stripslashes($var); $var = str_replace("'","\'",$var); } return "'$var'"; } } if (!function_exists (hash_num)){ function hash_num($input) { $hash = 5381; for ($i = 0; $i < strlen($str); $i++) { $c = ord($str{$i}); $hash = (($hash << 5) + $hash) + $c; } return $hash; } } /**************** end *************************/ ?>
<?php /** * 防sql测试代码 CREATE TABLE IF NOT EXISTS `tb` ( `id` int(10) unsigned NOT NULL auto_increment, `age` tinyint(3) unsigned NOT NULL, `name` char(100) NOT NULL, `note` text NOT NULL, PRIMARY KEY (`id`) ) ENGINE=MyISAM DEFAULT CHARSET=utf8 ; **/ include_once('common.php'); var_dump(hash_num('dddd')); if(empty($_GET)) { $_GET = array('age'=>'99','name'=>'a\'b\\\'c";','note'=>"a'b\'\nc#"); } $age = (int)$_GET['age']; $name = quote($_GET['name']); $note = quote($_GET['note']); $sql = "INSERT INTO `tb` ( `age`, `name`, `note`) VALUES ( $age, $name, $note)"; var_dump($sql); ?>
PHP 防止sql注入函数代码二:
<?php $magic_quotes_gpc = get_magic_quotes_gpc(); @extract(daddslashes($_COOKIE)); @extract(daddslashes($_POST)); @extract(daddslashes($_GET)); if(!$magic_quotes_gpc) { $_FILES = daddslashes($_FILES); } function daddslashes($string, $force = 0) { if(!$GLOBALS['magic_quotes_gpc'] || $force) { if(is_array($string)) { foreach($string as $key => $val) { $string[$key] = daddslashes($val, $force); } } else { $string = addslashes($string); } } return $string; } ?>
php 防止sql注入代码三
function inject_check($sql_str) { //防止注入 $check = eregi('select|insert|update|delete|'|/*|*|../|./|union|into|load_file|outfile', $sql_str); if ($check) { echo "输入非法注入内容!"; exit (); } else { return $sql_str; } } function checkurl() { //检查来路 if (preg_replace("/https教程?://([^:/]+).*/i", "1", $_server['http_referer']) !== preg_replace("/([^:]+).*/", "1", $_server['http_host'])) { header("location: http://s.3water.com"); exit(); } } //调用 checkurl(); $str = $_get['url']; inject_check($sql_str);//这条可以在获取参数时执行操作
php SQL防注入代码集合
声明:登载此文出于传递更多信息之目的,并不意味着赞同其观点或证实其描述。
Reply on: @reply_date@
@reply_contents@