-
- /**
- * 防sql注入
- * @author: test@jbxue.com
- * */
- /**
- * reject sql inject
- */
- if (!function_exists (quote))
- {
- function quote($var)
- {
- if (strlen($var))
- {
- $var=!get_magic_quotes_gpc() ? $var : stripslashes($var);
- $var = str_replace("'","'",$var);
- }
- return "'$var'";
- }
- }
- if (!function_exists (hash_num)){
- function hash_num($input)
- {
- $hash = 5381;
- for ($i = 0; $i < strlen($str); $i++)
- {
- $c = ord($str{$i});
- $hash = (($hash << 5) + $hash) + $c;
- }
- return $hash;
- }
- }
- ?>
复制代码
测试:
-
- /**
- * 防sql测试代码
- CREATE TABLE IF NOT EXISTS `tb` (
- `id` int(10) unsigned NOT NULL auto_increment,
- `age` tinyint(3) unsigned NOT NULL,
- `name` char(100) NOT NULL,
- `note` text NOT NULL,
- PRIMARY KEY (`id`)
- ) ENGINE=MyISAM DEFAULT CHARSET=utf8 ;
- **/
- include_once('common.php');
- var_dump(hash_num('dddd'));
- if(empty($_GET))
- {
- $_GET = array('age'=>'99','name'=>'a'b\'c";','note'=>"a'b'nC#");
- }
- $age = (int)$_GET['age'];
- $name = quote($_GET['name']);
- $note = quote($_GET['note']);
- $sql = "INSERT INTO `tb` ( `age`, `name`, `note`) VALUES
- ( $age, $name, $note)";
- var_dump($sql);
- ?>
复制代码
#--------------------
方法二:
-
-
$magic_quotes_gpc = get_magic_quotes_gpc(); - @extract(daddslashes($_COOKIE));
- @extract(daddslashes($_POST));
- @extract(daddslashes($_GET));
- if(!$magic_quotes_gpc) {
- $_FILES = daddslashes($_FILES);
- }
function daddslashes($string, $force = 0) {
- if(!$GLOBALS['magic_quotes_gpc'] || $force) {
- if(is_array($string)) {
- foreach($string as $key => $val) {
- $string[$key] = daddslashes($val, $force);
- }
- } else {
- $string = addslashes($string);
- }
- }
- return $string;
- }
- ?>
-
复制代码
方法三:
-
-
- function inject_check($sql_str) { //防止注入
- $check = eregi('select|insert|update|delete|'|/*|*|../|./|union|into|load_file|outfile', $sql_str);
- if ($check) {
- echo "输入非法注入内容!";
- exit ();
- } else {
- return $sql_str;
- }
- }
- function checkurl() { //检查来路
- if (preg_replace("/https教程?://([^:/]+).*/i", "1", $_server['http_referer']) !== preg_replace("/([^:]+).*/", "1", $_server['http_host'])) {
- header("location: http://s.jbxue.com");
- exit();
- }
- }
- //调用
- checkurl();
- $str = $_get['url'];
- inject_check($sql_str);//这条可以在获取参数时执行操作
复制代码
|