-
-
$magic_quotes_gpc = get_magic_quotes_gpc(); - @extract(daddslashes($_COOKIE));
- @extract(daddslashes($_POST));
- @extract(daddslashes($_GET));
- if(!$magic_quotes_gpc) {
- $_FILES = daddslashes($_FILES);
- }
function daddslashes($string, $force = 0) { - if(!$GLOBALS[' magic_quotes_gpc'] || $force) {
- if(is_array($string)) {
- foreach($string as $key => $val) {
- $string[$key] = daddslashes($val, $force) ;
- }
- } else {
- $string = addslashes($string);
- }
- }
- return $string;
- }
-
You can enhance the code below to protect it For server security, it is very important for PHP to prevent SQL injection security functions!
-
-
/* - Function name: inject_check()
- Function function: Detect whether the submitted value contains SQL injection characters, prevent injection, and protect server security
- Parameters: $sql_str: Submitted Variable bbs.it-home.org
- Return value: Return detection result, true or false
- */
- function inject_check($sql_str) {
- return eregi('select|insert|and|or|update|delete|'|/ *|*|../|./|union|into|load_file|outfile', $sql_str); // Filter
- }
/* - Function name: verify_id()
- Function: Verify whether the submitted ID value is legal
- Parameters: $id: Submitted ID value
- Return value: Return the processed ID
- */
- function verify_id($id=null) {
- if (!$id ) { exit('No parameters submitted!'); } // Judgment of whether it is empty
- elseif (inject_check($id)) { exit('The parameters submitted are illegal!'); } // Judgment of injection
- elseif (!is_numeric ($id)) { exit('The submitted parameter is illegal!'); } // Numeric judgment
- $id = intval($id); // Integerization
return $id ; - }
/* - Function name: str_check()
- Function function: filter the submitted string
- Parameters: $var: the string to be processed
- Return value: return filtering The string after
- */
- function str_check( $str ) {
- if (!get_magic_quotes_gpc()) { // Determine whether magic_quotes_gpc is turned on
- $str = addslashes($str); // Filter
- }
- $str = str_replace("_", "_", $str); // Filter out '_'
- $str = str_replace("%", "%", $str); // Filter out '%'< /p>
return $str; - }
/* - Function name: post_check()
- Function function: Process the submitted editing content
- Parameters: $post: Content to be submitted
- Return value: $post: Return filtered content
- */
- function post_check($post) {
- if (!get_magic_quotes_gpc()) { // Determine whether magic_quotes_gpc is open
- $post = addslashes($ post); // Filter the submitted data when magic_quotes_gpc is not turned on
- }
- $post = str_replace("_", "_", $post); // Filter out '_'
- $post = str_replace( "%", "%", $post); // Filter out '%'
- $post = nl2br($post); // Enter conversion
- $post = htmlspecialchars($post); // HTML tag conversion
-
Put it in a common call file (such as the conn database link file) and filter all GET or POST data with special strings to achieve simple and effective SQL injection filtering.
Code:
-
-
Function inject_check($sql_str) { return eregi('select|insert|and|or|update|delete|'|/*|*|../|./|union |into|load_file|outfile', $sql_str); } if (inject_check($_SERVER['QUERY_STRING'])==1 or inject_check(file_get_contents("php://input"))==1){ //echo "Warning illegal access!"; header("Location: Error.php");- }
-
-
- Copy code
-
-
-
-
-
| 
