Input value/form submission parameter filtering method to effectively prevent SQL injection

Input value/form submission parameter filtering method to effectively prevent SQL injection_PHP tutorial

WBOY

Release： 2016-07-13 17:18:31

Original

954 people have browsed it

Input value/form submission parameter filtering to prevent SQL injection or illegal attacks:

Copy code The code is as follows:

 
/ **
* Keywords for filtering sql and php file operations 
* @param string $string 
* @return string 
* @author zyb  
*/ 
private function filter_keyword( $string ) { 
$keyword = 'select|insert|update|delete|'|/*|*|../|./|union|into |load_file|outfile'; 
$arr = explode( '|', $keyword ); 
$result = str_ireplace( $arr, '', $string ); 
return $result; 
 } 

/**
* Check whether the entered number is legal, return the corresponding id if it is legal, otherwise return false 
* @param integer $id 
* @return mixed 
* @author zyb  
*/ 
protected function check_id( $id ) { 
$result = false; 
if ( $id !== '' && !is_null( $id ) ) { 
$var = $this->filter_keyword( $id ); // Keywords for filtering sql and php file operations 
if ( $var !== '' && !is_null( $ var ) && is_numeric( $var ) ) { 
$result = intval( $var ); 
} 
} 
return $result; 
} 

/** 
* Check whether the entered characters are legal, return the corresponding id if legal, otherwise return false 
* @param string $string 
* @return mixed 
* @author zyb  
*/ 
protected function check_str( $string ) { 
$result = false; 
$var = $this->filter_keyword( $string ); // Filter sql and php file operations Keywords
if ( !empty( $var ) ) { 
if ( !get_magic_quotes_gpc() ) { // Determine whether magic_quotes_gpc is turned on 
$var = addslashes( $string ); // Perform magic_quotes_gpc not Filtering of submitted data when open
} 
//$var = str_replace( "_", "_", $var ); // Filter out '_'
$var = str_replace( "%", "%", $var ); // Filter out '%'
$var = nl2br( $var ); // Enter conversion
$var = htmlspecialchars( $var ); / /html tag conversion 
$result = $var; 
} 
return $result; 
} 