search

Home >Backend Development >PHP Tutorial >Several ways to prevent SQL injection in PHP

Several ways to prevent SQL injection in PHP

WBOY
WBOYOriginal
2016-07-25 09:03:421002browse
  2. /**
  3. * Prevent sql injection
  4. * @author: test@jbxue.com
  5. **/
  6. /**
  7. * reject sql inject
  8. */
  9. if (!function_exists (quote))
  10. {
  11. function quote($var)
  12. {
  13. if (strlen($var))
  14. {
  15. $var=!get_magic_quotes_gpc() ? $var : stripslashes($var);
  16. $var = str_replace("'","'",$var);
  17. }
  18. return "'$var'";
  19. }
  20. }
  21. if (!function_exists (hash_num)){
  22. function hash_num($input)
  23. {
  24. $hash = 5381;
  25. for ($i = 0; $i < strlen($str); $i++)
  26. {
  27. $c = ord($str{$i});
  28. $hash = (($hash << 5) + $hash) + $c;
  29. }
  30. return $hash;
  31. }
  32. }
  33. ?>
复制代码

测试:

  2. /**
  3. * 防sql测试代码
  4. CREATE TABLE IF NOT EXISTS `tb` (
  5. `id` int(10) unsigned NOT NULL auto_increment,
  6. `age` tinyint(3) unsigned NOT NULL,
  7. `name` char(100) NOT NULL,
  8. `note` text NOT NULL,
  9. PRIMARY KEY (`id`)
  10. ) ENGINE=MyISAM DEFAULT CHARSET=utf8 ;
  11. **/
  12. include_once('common.php');
  13. var_dump(hash_num('dddd'));
  14. if(empty($_GET))
  15. {
  16. $_GET = array('age'=>'99','name'=>'a'b\'c";','note'=>"a'b'nC#");
  17. }
  18. $age = (int)$_GET['age'];
  19. $name = quote($_GET['name']);
  20. $note = quote($_GET['note']);
  21. $sql = "INSERT INTO `tb` ( `age`, `name`, `note`) VALUES
  22. ( $age, $name, $note)";
  23. var_dump($sql);
  24. ?>
复制代码

#-------------------- 方法二:

  3. $magic_quotes_gpc = get_magic_quotes_gpc();

  4. @extract(daddslashes($_COOKIE));
  5. @extract(daddslashes($_POST));
  6. @extract(daddslashes($_GET));
  7. if(!$magic_quotes_gpc) {
  8. $_FILES = daddslashes($_FILES);
  9. }

  10. function daddslashes($string, $force = 0) {

  11. if(!$GLOBALS['magic_quotes_gpc'] || $force) {
  12. if(is_array($string)) {
  13. foreach($string as $key => $val) {
  14. $string[$key] = daddslashes($val, $force);
  15. }
  16. } else {
  17. $string = addslashes($string);
  18. }
  19. }
  20. return $string;
  21. }
  22. ?>

复制代码

方法三:

  3. function inject_check($sql_str) { //防止注入
  4. $check = eregi('select|insert|update|delete|'|/*|*|../|./|union|into|load_file|outfile', $sql_str);
  5. if ($check) {
  6. echo "输入非法注入内容!";
  7. exit ();
  8. } else {
  9. return $sql_str;
  10. }
  11. }
  12. function checkurl() { //检查来路
  13. if (preg_replace("/https教程?://([^:/]+).*/i", "1", $_server['http_referer']) !== preg_replace("/([^:]+).*/", "1", $_server['http_host'])) {
  14. header("location: http://s.jbxue.com");
  15. exit();
  16. }
  17. }
  18. //调用
  19. checkurl();
  20. $str = $_get['url'];
  21. inject_check($sql_str);//这条可以在获取参数时执行操作
复制代码


Statement:
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn
Previous article:Blank page problem occurs when fastcgi_param runs php under nginxNext article:Blank page problem occurs when fastcgi_param runs php under nginx

Related articles

See more