Home  >  Article  >  php教程  >  php 过滤特殊字符及sql防注入代码

php 过滤特殊字符及sql防注入代码

WBOY
WBOYOriginal
2016-05-25 16:40:411479browse

<?php 
//方法一 
//过滤&#39;,",sql语名 
addslashes(); 
 
//方法二,去除所有html标签 
 
strip_tags(); 
 
//方法三过滤可能产生代码 
 
function php_sava($str)  
{  
$farr = array(  
"/s+/",                                                                                           
"/<(/?)(script|i?frame|style|html|body|title|link|meta|?|%)([^>]*?)>/isU",    
"/(<[^>]*)on[a-zA-Z]+s*=([^>]*>)/isU",                                       
   
   );  
   $tarr = array(  
" ",  
"<123>",           //如果要直接清除不安全的标签,这里可以留空  
"12",  
   ); 
  $str = preg_replace( $farr,$tarr,$str);  
   return $str;  
} 
 
//php sql防注入代码 
 
class sqlin 
{ 
 
//dowith_sql($value) 
function dowith_sql($str) 
{ 
   $str = str_replace("and","",$str); 
   $str = str_replace("execute","",$str); 
   $str = str_replace("update","",$str); 
   $str = str_replace("count","",$str); 
   $str = str_replace("chr","",$str); 
   $str = str_replace("mid","",$str); 
   $str = str_replace("master","",$str); 
   $str = str_replace("truncate","",$str); 
   $str = str_replace("char","",$str); 
   $str = str_replace("declare","",$str); 
   $str = str_replace("select","",$str); 
   $str = str_replace("create","",$str); 
   $str = str_replace("delete","",$str); 
   $str = str_replace("insert","",$str); 
   $str = str_replace("&#39;","",$str); 
   $str = str_replace(""","",$str); 
   $str = str_replace(" ","",$str); 
   $str = str_replace("or","",$str); 
   $str = str_replace("=","",$str); 
   $str = str_replace("%20","",$str); 
   //echo $str; 
   return $str; 
} 
//aticle()防SQL注入函数//php教程 
function sqlin() 
{ 
   foreach ($_GET as $key=>$value) 
   { 
   $_GET[$key]=$this->dowith_sql($value); 
   } 
   foreach ($_POST as $key=>$value) 
   { 
   $_POST[$key]=$this->dowith_sql($value); 
   }
} 
} 
 
$dbsql=new sqlin();


使用方式:将以上代码复制新建一个sqlin.php的文件,然后包含在有GET或者POST数据接收的页面.

原理:将所有的SQL关键字替换为空,本代码在留言本中不能使用,若要在留言本中使用请替换其中的.

$str = str_replace("and","",$str); 
//到: 
$str = str_replace("%20","",$str);//的代码为: 
$str = str_replace("and","&#97;nd",$str); 
$str = str_replace("execute","&#101;xecute",$str); 
$str = str_replace("update","&#117;pdate",$str); 
$str = str_replace("count","&#99;ount",$str); 
$str = str_replace("chr","&#99;hr",$str); 
$str = str_replace("mid","&#109;id",$str); 
$str = str_replace("master","&#109;aster",$str); 
$str = str_replace("truncate","&#116;runcate",$str); 
$str = str_replace("char","&#99;har",$str); 
$str = str_replace("declare","&#100;eclare",$str); 
$str = str_replace("select","&#115;elect",$str); 
$str = str_replace("create","&#99;reate",$str); 
$str = str_replace("delete","&#100;elete",$str); 
$str = str_replace("insert","&#105;nsert",$str); 
$str = str_replace("&#39;","&#39;",$str); 
$str = str_replace("\"",""",$str);


永久地址:

转载随意~请带上教程地址吧^^

Statement:
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn