search

Home >Backend Development >PHP Tutorial >A class to prevent SQL injection in PHP

A class to prevent SQL injection in PHP

WBOY
WBOYOriginal
2016-07-25 08:44:23962browse
  1. class sqlsafe {
  2. private $getfilter = "'|(and|or)\b.+?(>|<|=|in|like)|\/\*.+?\*\/|<\s*script\b|\bEXEC\b|UNION.+?SELECT|UPDATE.+?SET|INSERT\s+INTO.+?VALUES|(SELECT|DELETE).+?FROM|(CREATE|ALTER|DROP|TRUNCATE)\s+(TABLE|DATABASE)";
  3. private $postfilter = "\b(and|or)\b.{1,6}?(=|>|<|\bin\b|\blike\b)|\/\*.+?\*\/|<\s*script\b|\bEXEC\b|UNION.+?SELECT|UPDATE.+?SET|INSERT\s+INTO.+?VALUES|(SELECT|DELETE).+?FROM|(CREATE|ALTER|DROP|TRUNCATE)\s+(TABLE|DATABASE)";
  4. private $cookiefilter = "\b(and|or)\b.{1,6}?(=|>|<|\bin\b|\blike\b)|\/\*.+?\*\/|<\s*script\b|\bEXEC\b|UNION.+?SELECT|UPDATE.+?SET|INSERT\s+INTO.+?VALUES|(SELECT|DELETE).+?FROM|(CREATE|ALTER|DROP|TRUNCATE)\s+(TABLE|DATABASE)";
  5. /**
  6. *Constructor
  7. */
  8. public function __construct() {
  9. foreach($_GET as $key=>$value){$this->stopattack($key,$value,$this->getfilter);}
  10. foreach($_POST as $key=>$value){$this->stopattack($key,$value,$this->postfilter);}
  11. foreach($_COOKIE as $key=>$value){$this->stopattack($key,$value,$this->cookiefilter);}
  12. }
  13. /**
  14. * Parameter checking and writing logs
  15. */
  16. public function stopattack($StrFiltKey, $StrFiltValue, $ArrFiltReq){
  17. if(is_array($StrFiltValue))$StrFiltValue = implode($StrFiltValue);
  18. if (preg_match("/".$ArrFiltReq."/is",$StrFiltValue) == 1){
  19. $this->writeslog($_SERVER["REMOTE_ADDR"]." ".strftime("%Y-%m-%d %H:%M:%S")." ".$_SERVER["PHP_SELF"]." ".$_SERVER["REQUEST_METHOD"]." ".$StrFiltKey." ".$StrFiltValue);
  20. showmsg('您提交的参数非法,系统已记录您的本次操作!','',0,1);
  21. }
  22. }
  23. /**
  24. *SQL injection log
  25. */
  26. public function writeslog($log){
  27. $log_path = CACHE_PATH.'logs'.DIRECTORY_SEPARATOR.'sql_log.txt';
  28. $ts = fopen($log_path,"a+");
  29. fputs($ts,$log."rn");
  30. fclose($ts);
  31. }
  32. }
  33. ?>
复制代码

PHP, SQL


Statement:
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn
Previous article:php intercept function containing mixed string lengthsNext article:php intercept function containing mixed string lengths

Related articles

See more