代码语言
.
CSharp
.
JS
Java
Asp.Net
C
MSSQL
PHP
Css
PLSQL
Python
Shell
EBS
ASP
Perl
ObjC
VB.Net
VBS
MYSQL
GO
Delphi
AS
DB2
Domino
Rails
ActionScript
Scala
代码分类
文件
系统
字符串
数据库
网络相关
图形/GUI
多媒体
算法
游戏
Jquery
Extjs
Android
HTML5
菜单
网页交互
WinForm
控件
企业应用
安全与加密
脚本/批处理
开放平台
其它
【
PHP
】
预防SQL注入
作者:
Dezai.CN
/ 发布于
2011/6/11
/
571
<div><span style="color: rgb(0,0,0); font-weight: bold"><?php</span> <span style="color: rgb(0,0,0); font-weight: bold">function</span> anti_injection<span style="color: rgb(102,204,102)">(</span> <span style="color: rgb(0,0,255)">$user</span>, <span style="color: rgb(0,0,255)">$pass</span> <span style="color: rgb(102,204,102)">)</span> <span style="color: rgb(102,204,102)">{</span> <span style="font-style: italic; color: rgb(128,128,128)"># We'll first get rid of any special characters using a simple regex statement.</span> <span style="font-style: italic; color: rgb(128,128,128)"># After that, we'll get rid of any SQL command words using a string replacment.</span> <span style="color: rgb(0,0,255)">$banlist</span> = <a href="http://www.php.net/array" target="_blank"><span style="color: rgb(0,0,102)">array</span></a> <span style="color: rgb(102,204,102)">(</span> <span style="color: rgb(255,0,0)">"insert"</span>, <span style="color: rgb(255,0,0)">"select"</span>, <span style="color: rgb(255,0,0)">"update"</span>, <span style="color: rgb(255,0,0)">"delete"</span>, <span style="color: rgb(255,0,0)">"distinct"</span>, <span style="color: rgb(255,0,0)">"having"</span>, <span style="color: rgb(255,0,0)">"truncate"</span>, <span style="color: rgb(255,0,0)">"replace"</span>, <span style="color: rgb(255,0,0)">"handler"</span>, <span style="color: rgb(255,0,0)">"like"</span>, <span style="color: rgb(255,0,0)">" as "</span>, <span style="color: rgb(255,0,0)">"or "</span>, <span style="color: rgb(255,0,0)">"procedure"</span>, <span style="color: rgb(255,0,0)">"limit"</span>, <span style="color: rgb(255,0,0)">"order by"</span>, <span style="color: rgb(255,0,0)">"group by"</span>, <span style="color: rgb(255,0,0)">"asc"</span>, <span style="color: rgb(255,0,0)">"desc"</span> <span style="color: rgb(102,204,102)">)</span>; <span style="font-style: italic; color: rgb(128,128,128)">// ---------------------------------------------</span> <span style="color: rgb(177,177,0)">if</span> <span style="color: rgb(102,204,102)">(</span> <a href="http://www.php.net/eregi" target="_blank"><span style="color: rgb(0,0,102)">eregi</span></a> <span style="color: rgb(102,204,102)">(</span> <span style="color: rgb(255,0,0)">"[a-zA-Z0-9]+"</span>, <span style="color: rgb(0,0,255)">$user</span> <span style="color: rgb(102,204,102)">)</span> <span style="color: rgb(102,204,102)">)</span> <span style="color: rgb(102,204,102)">{</span> <span style="color: rgb(0,0,255)">$user</span> = <a href="http://www.php.net/trim" target="_blank"><span style="color: rgb(0,0,102)">trim</span></a> <span style="color: rgb(102,204,102)">(</span> <a href="http://www.php.net/str_replace" target="_blank"><span style="color: rgb(0,0,102)">str_replace</span></a> <span style="color: rgb(102,204,102)">(</span> <span style="color: rgb(0,0,255)">$banlist</span>, <span style="color: rgb(255,0,0)">''</span>, <a href="http://www.php.net/strtolower" target="_blank"><span style="color: rgb(0,0,102)">strtolower</span></a> <span style="color: rgb(102,204,102)">(</span> <span style="color: rgb(0,0,255)">$user</span> <span style="color: rgb(102,204,102)">)</span> <span style="color: rgb(102,204,102)">)</span> <span style="color: rgb(102,204,102)">)</span>; <span style="color: rgb(102,204,102)">}</span> <span style="color: rgb(177,177,0)">else</span> <span style="color: rgb(102,204,102)">{</span> <span style="color: rgb(0,0,255)">$user</span> = <span style="color: rgb(0,0,0); font-weight: bold">NULL</span>; <span style="color: rgb(102,204,102)">}</span> <span style="font-style: italic; color: rgb(128,128,128)">// ---------------------------------------------</span> <span style="font-style: italic; color: rgb(128,128,128)"># Now to make sure the given password is an alphanumerical string</span> <span style="font-style: italic; color: rgb(128,128,128)"># devoid of any special characters. strtolower() is being used</span> <span style="font-style: italic; color: rgb(128,128,128)"># because unfortunately, str_ireplace() only works with PHP5.</span> <span style="color: rgb(177,177,0)">if</span> <span style="color: rgb(102,204,102)">(</span> <a href="http://www.php.net/eregi" target="_blank"><span style="color: rgb(0,0,102)">eregi</span></a> <span style="color: rgb(102,204,102)">(</span> <span style="color: rgb(255,0,0)">"[a-zA-Z0-9]+"</span>, <span style="color: rgb(0,0,255)">$pass</span> <span style="color: rgb(102,204,102)">)</span> <span style="color: rgb(102,204,102)">)</span> <span style="color: rgb(102,204,102)">{</span> <span style="color: rgb(0,0,255)">$pass</span> = <a href="http://www.php.net/trim" target="_blank"><span style="color: rgb(0,0,102)">trim</span></a> <span style="color: rgb(102,204,102)">(</span> <a href="http://www.php.net/str_replace" target="_blank"><span style="color: rgb(0,0,102)">str_replace</span></a> <span style="color: rgb(102,204,102)">(</span> <span style="color: rgb(0,0,255)">$banlist</span>, <span style="color: rgb(255,0,0)">''</span>, <a href="http://www.php.net/strtolower" target="_blank"><span style="color: rgb(0,0,102)">strtolower</span></a> <span style="color: rgb(102,204,102)">(</span> <span style="color: rgb(0,0,255)">$pass</span> <span style="color: rgb(102,204,102)">)</span> <span style="color: rgb(102,204,102)">)</span> <span style="color: rgb(102,204,102)">)</span>; <span style="color: rgb(102,204,102)">}</span> <span style="color: rgb(177,177,0)">else</span> <span style="color: rgb(102,204,102)">{</span> <span style="color: rgb(0,0,255)">$pass</span> = <span style="color: rgb(0,0,0); font-weight: bold">NULL</span>; <span style="color: rgb(102,204,102)">}</span> <span style="font-style: italic; color: rgb(128,128,128)">// ---------------------------------------------</span> <span style="font-style: italic; color: rgb(128,128,128)"># Now to make an array so we can dump these variables into the SQL query.</span> <span style="font-style: italic; color: rgb(128,128,128)"># If either user or pass is NULL (because of inclusion of illegal characters),</span> <span style="font-style: italic; color: rgb(128,128,128)"># the whole script will stop dead in its tracks.</span> <span style="color: rgb(0,0,255)">$array</span> = <a href="http://www.php.net/array" target="_blank"><span style="color: rgb(0,0,102)">array</span></a> <span style="color: rgb(102,204,102)">(</span> <span style="color: rgb(255,0,0)">'user'</span> => <span style="color: rgb(0,0,255)">$user</span>, <span style="color: rgb(255,0,0)">'pass'</span> => <span style="color: rgb(0,0,255)">$pass</span> <span style="color: rgb(102,204,102)">)</span>; <span style="font-style: italic; color: rgb(128,128,128)">// ---------------------------------------------</span> <span style="color: rgb(177,177,0)">if</span> <span style="color: rgb(102,204,102)">(</span> <a href="http://www.php.net/in_array" target="_blank"><span style="color: rgb(0,0,102)">in_array</span></a> <span style="color: rgb(102,204,102)">(</span> <span style="color: rgb(0,0,0); font-weight: bold">NULL</span>, <span style="color: rgb(0,0,255)">$array</span> <span style="color: rgb(102,204,102)">)</span> <span style="color: rgb(102,204,102)">)</span> <span style="color: rgb(102,204,102)">{</span> <a href="http://www.php.net/die" target="_blank"><span style="color: rgb(0,0,102)">die</span></a> <span style="color: rgb(102,204,102)">(</span> <span style="color: rgb(255,0,0)">'Invalid use of login and/or password. Please use a normal method.'</span> <span style="color: rgb(102,204,102)">)</span>; <span style="color: rgb(102,204,102)">}</span> <span style="color: rgb(177,177,0)">else</span> <span style="color: rgb(102,204,102)">{</span> <span style="color: rgb(177,177,0)">return</span> <span style="color: rgb(0,0,255)">$array</span>; <span style="color: rgb(102,204,102)">}</span> <span style="color: rgb(102,204,102)">}</span> <span style="color: rgb(0,0,0); font-weight: bold">?></span> </div>
试试其它关键字
防SQL注入
同语言下
.
用net匹配并替换iOS标准的emoji表情符号
.
处理带Emoji表情的的字符串
.
获取微信昵称时 过滤特殊字符
.
通过判断上传文件的头字符来判断文件的类型
.
模拟百度URL加密解密算法
.
以太坊检查地址是否合法
.
实现crontab解析类
.
获取每个月的开始和结束时间
.
图片上传工具类
.
APP手机应用信息采集
可能有用的
.
C#实现的html内容截取
.
List 切割成几份 工具类
.
SQL查询 多列合并成一行用逗号隔开
.
一行一行读取txt的内容
.
C#动态修改文件夹名称(FSO实现,不移动文件)
.
c# 移动文件或文件夹
.
c#图片添加水印
.
Java PDF转换成图片并输出给前台展示
.
网站后台修改图片尺寸代码
.
处理大图片在缩略图时的展示
Dezai.CN
贡献的其它代码
(
4037
)
.
多线程Socket服务器模块
.
生成随机密码
.
清除浮动样式
.
弹出窗口居中
.
抓取url的函数
.
使用base HTTP验证
.
div模拟iframe嵌入效果
.
通过header转向的方法
.
Session操作类
.
执行sqlite输入插入操作后获得自动编号的ID
Copyright © 2004 - 2024 dezai.cn. All Rights Reserved
站长博客
粤ICP备13059550号-3