防止sql注入的函数,过滤掉那些非法的字符,提高sql安全性,同时也可以过滤XSS的攻击。
function filter($str)
{
if (empty($str)) return false;
$str = htmlspecialchars($str);
$str = str_replace( '/', "", $str);
$str = str_replace( '"', "", $str);
$str = str_replace( '(', "", $str);
$str = str_replace( ')', "", $str);
$str = str_replace( 'CR', "", $str);
$str = str_replace( 'ASCII', "", $str);
$str = str_replace( 'ASCII 0x0d', "", $str);
$str = str_replace( 'LF', "", $str);
$str = str_replace( 'ASCII 0x0a', "", $str);
$str = str_replace( ',', "", $str);
$str = str_replace( '%', "", $str);
$str = str_replace( ';', "", $str);
$str = str_replace( 'eval', "", $str);
$str = str_replace( 'open', "", $str);
$str = str_replace( 'sysopen', "", $str);
$str = str_replace( 'system', "", $str);
$str = str_replace( '$', "", $str);
$str = str_replace( "'", "", $str);
$str = str_replace( "'", "", $str);
$str = str_replace( 'ASCII 0x08', "", $str);
$str = str_replace( '"', "", $str);
$str = str_replace( '"', "", $str);
$str = str_replace("", "", $str);
$str = str_replace(">", "", $str);
$str = str_replace("<", "", $str);
$str = str_replace("<SCRIPT>", "", $str);
$str = str_replace("</SCRIPT>", "", $str);
$str = str_replace("<script>", "", $str);
$str = str_replace("</script>", "", $str);
$str = str_replace("select","",$str);
$str = str_replace("join","",$str);
$str = str_replace("union","",$str);
$str = str_replace("where","",$str);
$str = str_replace("insert","",$str);
$str = str_replace("delete","",$str);
$str = str_replace("update","",$str);
$str = str_replace("like","",$str);
$str = str_replace("drop","",$str);
$str = str_replace("DROP","",$str);
$str = str_replace("create","",$str);
$str = str_replace("modify","",$str);
$str = str_replace("rename","",$str);
$str = str_replace("alter","",$str);
$str = str_replace("cas","",$str);
$str = str_replace("&","",$str);
$str = str_replace(">","",$str);
$str = str_replace("<","",$str);
$str = str_replace(" ",chr(32),$str);
$str = str_replace(" ",chr(9),$str);
$str = str_replace(" ",chr(9),$str);
$str = str_replace("&",chr(34),$str);
$str = str_replace("'",chr(39),$str);
$str = str_replace("<br />",chr(13),$str);
$str = str_replace("''","'",$str);
$str = str_replace("css","'",$str);
$str = str_replace("CSS","'",$str);
$str = str_replace("<!--","",$str);
$str = str_replace("convert","",$str);
$str = str_replace("md5","",$str);
$str = str_replace("passwd","",$str);
$str = str_replace("password","",$str);
$str = str_replace("../","",$str);
$str = str_replace("./","",$str);
$str = str_replace("Array","",$str);
$str = str_replace("or 1='1'","",$str);
$str = str_replace(";set|set&set;","",$str);
$str = str_replace("`set|set&set`","",$str);
$str = str_replace("--","",$str);
$str = str_replace("OR","",$str);
$str = str_replace('"',"",$str);
$str = str_replace("*","",$str);
$str = str_replace("-","",$str);
$str = str_replace("+","",$str);
$str = str_replace("/","",$str);
$str = str_replace("=","",$str);
$str = str_replace("'/","",$str);
$str = str_replace("-- ","",$str);
$str = str_replace(" -- ","",$str);
$str = str_replace(" --","",$str);
$str = str_replace("(","",$str);
$str = str_replace(")","",$str);
$str = str_replace("{","",$str);
$str = str_replace("}","",$str);
$str = str_replace("-1","",$str);
$str = str_replace("1","",$str);
$str = str_replace(".","",$str);
$str = str_replace("response","",$str);
$str = str_replace("write","",$str);
$str = str_replace("|","",$str);
$str = str_replace("`","",$str);
$str = str_replace(";","",$str);
$str = str_replace("etc","",$str);
$str = str_replace("root","",$str);
$str = str_replace("//","",$str);
$str = str_replace("!=","",$str);
$str = str_replace("$","",$str);
$str = str_replace("&","",$str);
$str = str_replace("&&","",$str);
$str = str_replace("==","",$str);
$str = str_replace("#","",$str);
$str = str_replace("@","",$str);
$str = str_replace("mailto:","",$str);
$str = str_replace("CHAR","",$str);
$str = str_replace("char","",$str);
return $str;
}
更加简便的防止sql注入的方法(推荐使用这个):
if (!get_magic_quotes_gpc()) // 判断magic_quotes_gpc是否为打开
{
$post = addslashes($name); // magic_quotes_gpc没有打开的时候把数据过滤
}
$name = str_replace("_", "\_", $name); // 把 '_'过滤掉
$name = str_replace("%", "\%", $name); // 把' % '过滤掉
$name = nl2br($name); // 回车转换
$name= htmlspecialchars($name); // html标记转换
return $name;
温馨提示:
1.本站大部分内容均收集于网络!若内容若侵犯到您的权益,请发送邮件至:duhaomu@163.com,我们将第一时间处理!
2.资源所需价格并非资源售卖价格,是收集、整理、编辑详情以及本站运营的适当补贴,并且本站不提供任何免费技术支持。
3.所有资源仅限于参考和学习,版权归原作者所有,更多请阅读网站声明。
1.本站大部分内容均收集于网络!若内容若侵犯到您的权益,请发送邮件至:duhaomu@163.com,我们将第一时间处理!
2.资源所需价格并非资源售卖价格,是收集、整理、编辑详情以及本站运营的适当补贴,并且本站不提供任何免费技术支持。
3.所有资源仅限于参考和学习,版权归原作者所有,更多请阅读网站声明。
