Home > Database > Mysql Tutorial > sql防注入详细说明与代码

sql防注入详细说明与代码

WBOY
Release: 2016-06-07 17:47:58
Original
1248 people have browsed it

最近在做一个主题投票,客户懂一些程序方面的东西。有特别要求需要过滤一些字符防止sql注入

$magic_quotes_gpc = get_magic_quotes_gpc();
@extract(daddslashes($_));
@extract(daddslashes($_post));
@extract(daddslashes($_get));
if(!$magic_quotes_gpc) {
$_files = daddslashes($_files);
}
 
 
function daddslashes($string, $force = 0) {
if(!$globals['magic_quotes_gpc'] || $force) {
if(is_array($string)) {
foreach($string as $key => $val) {
$string[$key] = daddslashes($val, $force);
}
} else {
$string = addslashes($string);
}
}
return $string;
}

下面是一款 sql防注入函数

dim sql_injdata
sql_injdata = "'|and|exec|insert|select|delete|update|count|*|%|chr|mid|master|truncate|char|declare"
sql_inj = split(sql_injdata,"|")
if request.querystring"" then
for each sql_get in request.querystring
for sql_data=0 to ubound(sql_inj)
if instr(request.querystring(sql_get),sql_inj(sql_data))>0 then
response.write ""
response.end
end if
next
next
end if
if request.form"" then
for each sql_post in request.form
for sql_data=0 to ubound(sql_inj)
if instr(request.form(sql_post),sql_inj(sql_data))>0 then
response.write ""
response.end
end if
next
next
end if
%>

在时就进行函数调用


防注入就是过滤特殊字符和sql命令哦如下

防跨站的代码我就不提供了.

sub f_sql()
dim q_post,q_get,q_in,q_inf,i
'q_in = "'|and|exec|insert|select|delete|update|count|*|chr|mid|master|truncate|char|declare"   '定义不能通过的字符,
q_in = "'|exec|insert|select|delete|update|*|chr|truncate|declare|'"

q_inf = split(q_in , "|")

 

Related labels:
source:php.cn
Statement of this Website
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn
Popular Tutorials
More>
Latest Downloads
More>
Web Effects
Website Source Code
Website Materials
Front End Template