Home >Backend Development >PHP Tutorial >discuz's php prevents sql injection function
Recently I was working on a topic voting website, and the client knew some programming stuff. There are special requirements to filter some characters to prevent SQL injection. Originally there was no special research in this area. Haha, once again carrying forward the use-ism. Get the sql anti-injection function from the discuz forum!
Copy the code The code is as follows:
$magic_quotes_gpc = get_magic_quotes_gpc();
@extract(daddslashes($_POST));
@extract(daddslashes($_POST));
@extract(dadds lashes($ _GET));
if(!$magic_quotes_gpc) {
$_FILES = daddslashes($_FILES);
}
function daddslashes($string, $force = 0) {
if(!$GLOBALS['magic_quotes_gpc'] || $force) {
if(is_array($string)) {
foreach($string as $key => $val) {
$string[$key] = daddslashes($val, $force);
}
} else {
$string = addslashes($string);
}
}
return $string;
}
Copy code The code is as follows:
/*
Function name: inject_check()
Function function: Detect whether the submitted value contains SQL injection characters, prevent injection, and protect server security
Parameter: $sql_str : Submitted variable
Return value: Return detection result, true or false
*/
function inject_check($sql_str) {
return eregi('select|insert|and|or|update|delete|'|/*|*| ../|./|union|into|load_file|outfile', $sql_str); // Filter
}
/*
Function name: verify_id()
Function function: Verify whether the submitted ID class value is legal
Parameters: $id: Submitted ID value
Return value: Returns the processed ID
*/
function verify_id($id=null) {
if (!$id) { exit('No parameters submitted!'); } // Determination of whether it is empty
elseif (inject_check($id)) { exit('The submitted parameters are illegal!'); } // Injection judgment
elseif (!is_numeric($id)) { exit('The submitted parameters are illegal ! '); } // Numeric judgment
$id = intval($id); // Integerization
return $id;
}
/*
Function name: str_check()
Function function: for the submitted string Filter
Parameters: $var: String to be processed
Return value: Return filtered string
*/
function str_check( $str ) {
if (!get_magic_quotes_gpc()) { // Determine whether magic_quotes_gpc is turned on
$str = addslashes($str); // Filter
}
$str = str_replace("_", "_", $str); // Filter out '_'
$str = str_replace("%" , "%", $str); // Filter out '%'
return $str;
}
/*
Function name: post_check()
Function function: Process the submitted editing content
Parameter: $post : Content to be submitted
Return value: $post: Return filtered content
*/
function post_check($post) {
if (!get_magic_quotes_gpc()) { // Determine whether magic_quotes_gpc is open
$post = addslashes( $post); // Filter the submitted data when magic_quotes_gpc is not turned on
}
$post = str_replace("_", "_", $post); // Filter out '_'
$post = str_replace ("%", "%", $post); // Filter out '%'
$post = nl2br($post); // Enter conversion
$post = htmlspecialchars($post); // html tag Convert
return $post;
}
The above introduces discuz's PHP function to prevent SQL injection, including the relevant content. I hope it will be helpful to friends who are interested in PHP tutorials.