本文介绍了三种PHP中防止SQL注入的方法:使用 addslashes 进行转义、通过限制关键字进行检查和利用正则表达式过滤非法字符。这些方法有助于提高应用程序的安全性。
1、sql_injection
$_POST = sql_injection($_POST);
$_GET = sql_injection($_GET);
function sql_injection($content)
{
if (!get_magic_quotes_gpc()) {
if (is_array($content)) {
foreach ($content as $key=>$value) {
$content[$key] = addslashes($value);
}
} else {
addslashes($content);
}
}
return $content;
string $feifa 限制元素组成
如有非法字符跳转到上一页 返回 0 没有返回 1
//使用方法
$feifa=array("select","delete","from","update","create","destory","drop","alter","and","or","like","exec","count","*","chr","mid","master","truncate","char","declare",";","-","+");
$arrpostget=array("http://www.baidu.select cretecomdmin","wangw");
echo saftsql($feifa,$arrpostget);
*/
function saftsql($feifa,$arrpostget){
// $arrpostget=array_merge((array)$HTTP_PSOT_VARS,(array)$HTTP_GET_VARS);
if($arrpostget){
foreach($arrpostget as $key=>$value){
for($i=0;$i<count($feifa);$i++){
//找非法字符在$value中的位置
$flag=strpos($value,$feifa[$i]);
if($flag)
{
//echo "<script type=\"text/javascript\">alert('URL有非法字符');</script>";
//echo "<script type=\"text/javascript\">history.go(-1);</script>";
return 0;
exit;
}else{
return 1;
}
}
}
//要过滤的非法字符
$ArrFiltrate=array("\'\'",";","union");
//出错后要跳转的url,不填则默认前一页
$StrGoUrl="";
//是否存在数组中的值
function FunStringExist($StrFiltrate,$ArrFiltrate){
foreach ($ArrFiltrate as $key=>$value){
if (eregi($value,$StrFiltrate)){
return true;
}
}
return false;
}
//合并$_POST 和 $_GET
if(function_exists(array_merge)){
$ArrPostAndGet=array_merge($_GET,$_POST);
}else{
foreach($_GET as $key=>$value){
$ArrPostAndGet[]=$value;
}
foreach($HTTP_GET_VARS as $key=>$value){
$_POST[]=$value;
}
}
//验证开始
foreach($ArrPostAndGet as $key=>$value){
if (FunStringExist($value,$ArrFiltrate)){
echo "<script language='javascript'>alert('Neeao提示,非法字符');</script>";
if (empty($StrGoUrl)){
echo "<script language='javascript'>history.go(-1);</script>";
}else{
echo "<script language='javascript'>window.location=\'".$StrGoUrl."\';</script>";
}
exit;
}
}
$_POST = sql_injection($_POST);
$_GET = sql_injection($_GET);
function sql_injection($content)
{
if (!get_magic_quotes_gpc()) {
if (is_array($content)) {
foreach ($content as $key=>$value) {
$content[$key] = addslashes($value);
}
} else {
addslashes($content);
}
}
return $content;
}
2、saftsql
string $feifa 限制元素组成
如有非法字符跳转到上一页 返回 0 没有返回 1
//使用方法
$feifa=array("select","delete","from","update","create","destory","drop","alter","and","or","like","exec","count","*","chr","mid","master","truncate","char","declare",";","-","+");
$arrpostget=array("http://www.baidu.select cretecomdmin","wangw");
echo saftsql($feifa,$arrpostget);
*/
function saftsql($feifa,$arrpostget){
// $arrpostget=array_merge((array)$HTTP_PSOT_VARS,(array)$HTTP_GET_VARS);
if($arrpostget){
foreach($arrpostget as $key=>$value){
for($i=0;$i<count($feifa);$i++){
//找非法字符在$value中的位置
$flag=strpos($value,$feifa[$i]);
if($flag)
{
//echo "<script type=\"text/javascript\">alert('URL有非法字符');</script>";
//echo "<script type=\"text/javascript\">history.go(-1);</script>";
return 0;
exit;
}else{
return 1;
}
}
}
return 1;
3、FunStringExist
//然后在每个php文件前加include(“checkpostandget.php“);即可//要过滤的非法字符
$ArrFiltrate=array("\'\'",";","union");
//出错后要跳转的url,不填则默认前一页
$StrGoUrl="";
//是否存在数组中的值
function FunStringExist($StrFiltrate,$ArrFiltrate){
foreach ($ArrFiltrate as $key=>$value){
if (eregi($value,$StrFiltrate)){
return true;
}
}
return false;
}
//合并$_POST 和 $_GET
if(function_exists(array_merge)){
$ArrPostAndGet=array_merge($_GET,$_POST);
}else{
foreach($_GET as $key=>$value){
$ArrPostAndGet[]=$value;
}
foreach($HTTP_GET_VARS as $key=>$value){
$_POST[]=$value;
}
}
//验证开始
foreach($ArrPostAndGet as $key=>$value){
if (FunStringExist($value,$ArrFiltrate)){
echo "<script language='javascript'>alert('Neeao提示,非法字符');</script>";
if (empty($StrGoUrl)){
echo "<script language='javascript'>history.go(-1);</script>";
}else{
echo "<script language='javascript'>window.location=\'".$StrGoUrl."\';</script>";
}
exit;
}
}
扫一扫
210
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
