Recently I was working on a topic voting website, and the client knew some programming stuff. There are special requirements to filter some characters to prevent SQL injection. Originally there was no special research in this area. Haha, once again carrying forward the use-ism. Get the sql anti-injection function from the discuz forum!
Copy code The code is as follows:
$magic_quotes_gpc = get_magic_quotes_gpc();
@extract(daddslashes($_COOKIE) );
@extract(daddslashes($_POST));
@extract(daddslashes($_GET));
if(!$magic_quotes_gpc) {
$_FILES = daddslashes($_FILES);
}
function daddslashes($string, $force = 0) {
if(!$GLOBALS['magic_quotes_gpc'] || $force) {
if(is_array ($string)) {
foreach($string as $key => $val) {
$string[$key] = daddslashes($val, $force);
}
} else {
$string = addslashes($string);
}
}
return $string;
}
You can enhance the following code to protect it For server security, it is very important for PHP to prevent SQL injection security functions!
Copy code The code is as follows:
/*
Function name: inject_check()
Function function: detection Does the submitted value contain SQL injection characters to prevent injection and protect server security?
Parameters: $sql_str: submitted variable
Return value: return detection result, true or false
*/
function inject_check($sql_str) {
return eregi('select|insert|and|or|update|delete|'|/*|*|../|./|union|into|load_file|outfile', $sql_str ); // Filter
}
/*
Function name: verify_id()
Function function: Verify whether the submitted ID class value is legal
Parameter: $id: Submitted ID value
Return value: Return processed ID
*/
function verify_id($id=null) {
if (!$id) { exit('No parameters submitted!' ); } // Whether it is empty judgment
elseif (inject_check($id)) { exit('The submitted parameter is illegal!'); } // Injection judgment
elseif (!is_numeric($id)) { exit('The submitted parameter is illegal!'); } // Numeric judgment
$id = intval($id); // Integerization
return $id;
}
/*
Function name: str_check()
Function: filter the submitted string
Parameters: $var: the string to be processed
Return value: return the filtered string String
*/
function str_check( $str ) {
if (!get_magic_quotes_gpc()) { // Determine whether magic_quotes_gpc is turned on
$str = addslashes($str); // Filter
}
$str = str_replace("_", "_", $str); // Filter out '_'
$str = str_replace("%", "%", $str ); // Filter out '%'
return $str;
}
/*
Function name: post_check()
Function function: for submission Edit content for processing
Parameters: $post: Content to be submitted
Return value: $post: Return filtered content
*/
function post_check($post) {
if ( !get_magic_quotes_gpc()) { // Determine whether magic_quotes_gpc is open
$post = addslashes($post); // Filter the submitted data if magic_quotes_gpc is not open
}
$post = str_replace( "_", "_", $post); // Filter out '_'
$post = str_replace("%", "%", $post); // Filter out '%'
$post = nl2br($post); // Carriage return conversion
$post = htmlspecialchars($post); // HTML tag conversion
return $post;
}
http://www.bkjia.com/PHPjc/322808.htmlwww.bkjia.comtruehttp: //www.bkjia.com/PHPjc/322808.htmlTechArticleI am currently working on a topic voting website, and the customer knows some procedural things. There are special requirements to filter some characters to prevent SQL injection. Originally there was no special research in this area. Hehe...