php filter special characters sql anti-injection code

WBOY
Release: 2016-07-25 08:54:03
Original
1232 people have browsed it
  1. //Method one
  2. //Filter',",sql language name
  3. addslashes();
  4. //Method two, remove all html tags
  5. strip_tags();
  6. //Method three Filtering may generate code
  7. function php_sava($str)
  8. {
  9. $farr = array(
  10. "/s+/",
  11. "/<(/?)(script|i?frame|style|html|body|title| link|meta|?|%)([^>]*?)>/isU",
  12. "/(<[^>]*)on[a-zA-Z]+s*=([ ^>]*>)/isU",
  13. );
  14. $tarr = array(
  15. " ",
  16. "<>", //If you want to directly clear unsafe tags, you can leave it blank here
  17. "" ,
  18. );
  19. $str = preg_replace( $farr,$tarr,$str);
  20. return $str;
  21. }
  22. //php sql anti-injection code
  23. class sqlin
  24. {
  25. //dowith_sql($value)
  26. function dowith_sql($str)
  27. {
  28. $str = str_replace("and","",$str);
  29. $str = str_replace("execute","",$str);
  30. $str = str_replace("update" ,"",$str);
  31. $str = str_replace("count","",$str);
  32. $str = str_replace("chr","",$str);
  33. $str = str_replace("mid ","",$str);
  34. $str = str_replace("master","",$str);
  35. $str = str_replace("truncate","",$str);
  36. $str = str_replace(" char","",$str);
  37. $str = str_replace("declare","",$str);
  38. $str = str_replace("select","",$str);
  39. $str = str_replace( "create","",$str);
  40. $str = str_replace("delete","",$str);
  41. $str = str_replace("insert","",$str);
  42. $str = str_replace ("'","",$str);
  43. $str = str_replace(""","",$str);
  44. $str = str_replace(" ","",$str);
  45. $str = str_replace ("or","",$str);
  46. $str = str_replace("=","",$str);
  47. $str = str_replace("%20","",$str);
  48. // echo $str;
  49. return $str;
  50. }
  51. //aticle() anti-SQL injection function//php tutorial
  52. function sqlin()
  53. {
  54. foreach ($_GET as $key=>$value)
  55. {
  56. $ _GET[$key]=$this->dowith_sql($value);
  57. }
  58. foreach ($_POST as $key=>$value)
  59. {
  60. $_POST[$key]=$this->dowith_sql( $value);
  61. }
  62. }
  63. }
  64. $dbsql=new sqlin();
  65. ?>
Copy code

Usage: Copy the above code to create a new sqlin.php file, and then include it in the page where GET or POST data is received

Principle analysis: Replace all SQL keywords with empty This code cannot be used in the guestbook. If you want to use it in the guestbook, please replace it. ....... $str = str_replace("and","",$str); arrive $str = str_replace("%20","",$str); ... The code is:

  1. $str = str_replace("and","and",$str);
  2. $str = str_replace("execute","execute",$str);
  3. $str = str_replace ("update","update",$str);
  4. $str = str_replace("count","count",$str);
  5. $str = str_replace("chr","c hr",$str);
  6. $str = str_replace("mid","mid",$str);
  7. $str = str_replace("master","master",$str);
  8. $str = str_replace(" truncate","truncate",$str);
  9. $str = str_replace("char","char",$str);
  10. $str = str_replace("declare","declare",$str) ;
  11. $str = str_replace("select","select",$str);
  12. $str = str_replace("create","create",$str);
  13. $str = str_replace("delete" ,"delete",$str);
  14. $str = str_replace("insert","insert",$str);
  15. $str = str_replace("'","'",$str);
  16. $ str = str_replace(""",""",$str);
  17. ?>
Copy code

------------------------------------------------- ------ addslashes – Use backslashes to quote strings

string addslashes ( string str )

Returns a string with backslashes added in front of certain characters for database query statements, etc. These characters are single quote ('), double quote ("), backslash () and NUL (NULL character).

An example of using addslashes() is when you are entering data into a database. For example, inserting the name O'reilly into the database requires escaping it. Most databases use as escape character: O'reilly. This puts the data into the database without inserting extra . When the PHP directive magic_quotes_sybase is set to on, it means that inserting ' will be escaped with '.

By default, the PHP instruction magic_quotes_gpc is on, which mainly automatically runs addslashes() on all GET, POST and COOKIE data. Do not use addslashes() on strings that have been escaped by magic_quotes_gpc, as this will result in double escaping. When encountering this situation, you can use the function get_magic_quotes_gpc() to detect it. get_magic_quotes_gpc() This function obtains the value of the variable magic_quotes_gpc (GPC, Get/Post/Cookie) in the PHP environment configuration. Returning 0 means turning off this function; returning 1 means turning this function on. When magic_quotes_gpc is turned on, all ' (single quote), " (double quote), (backslash) and null characters are automatically converted to overflow characters containing backslashes. addslashes and stripslashes are used to operate on database characters in PHP. At first glance, it seems difficult to remember, but if you analyze it, add means to add, and strip means to ignore. slash is a slash, and slash is the plural of slash. Then addslashes means adding a slash, because some special characters are written to the database. Problems will occur later, such as " ', etc., so special symbols must be escaped to tell the database that those special symbols are strings. In the same way, stripslashes must subtract the slash when fetching the string from the database. htmlspecialchars converts certain special characters into html encoding. The most commonly used occasion may be the message board that handles customer messages. These special characters are limited to the following: & -> & " -> " < > -> > The functions of htmlentities are similar to htmlspecialchars, but htmlentities ignores all entities defined by HTML, including various special characters and Chinese characters. The result is that the Chinese characters become a bunch of garbled characters. htmlspecialchars_decode is the reverse process of htmlspecialchars, which converts html encoding into characters. PHP utility function for filtering special characters Special character filtering method for php form submission html special character filter php class How to escape special characters in url links Detailed explanation of php special character escaping php filter parameter special characters anti-injection php method to filter illegal and special strings Examples of php special character processing functions



source:php.cn
Statement of this Website
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn
Popular Tutorials
More>
Latest Downloads
More>
Web Effects
Website Source Code
Website Materials
Front End Template