sql注入基礎過濾
阿新 • • 發佈:2022-12-06
/** * sql注入過濾 * @param $string 需要校驗的字元 * @param $type get post cookie */ public function sqlFilter($string,$type){ $getfilter="/^'|(and|or)\\b.+?(>|<|=|in|like)|\\/\\*.+?\\*\\/|<\\s*script\\b|\\bEXEC\\b|UNION.+?SELECT|UPDATE.+?SET|INSERT\\s+INTO.+?VALUES|(SELECT|DELETE).+?FROM|(CREATE|ALTER|DROP|TRUNCATE)\\s+(TABLE|DATABASE)$/i"; $postfilter="/^\\b(and|or)\\b.{1,6}?(=|>|<|\\bin\\b|\\blike\\b)|\\/\\*.+?\\*\\/|<\\s*script\\b|\\bEXEC\\b|UNION.+?SELECT|UPDATE.+?SET|INSERT\\s+INTO.+?VALUES|(SELECT|DELETE).+?FROM|(CREATE|ALTER|DROP|TRUNCATE)\\s+(TABLE|DATABASE)$/i"; $cookiefilter="/^\\b(and|or)\\b.{1,6}?(=|>|<|\\bin\\b|\\blike\\b)|\\/\\*.+?\\*\\/|<\\s*script\\b|\\bEXEC\\b|UNION.+?SELECT|UPDATE.+?SET|INSERT\\s+INTO.+?VALUES|(SELECT|DELETE).+?FROM|(CREATE|ALTER|DROP|TRUNCATE)\\s+(TABLE|DATABASE)$/i"; switch($type){ case 'post': if(preg_match($postfilter,$string)){ die(json_encode(array('msg'=>'data valid'))); } break; case 'get': if(preg_match($getfilter,$string)){ die(json_encode(array('msg'=>'data valid'))); } break; case 'cookie': if(preg_match($cookiefilter,$string)){ die(json_encode(array('msg'=>'data valid'))); } break; } if (!get_magic_quotes_gpc()) { $string = stripslashes($string); } // $string = mysql_real_escape_string ($string); //\x00 \n \r \' " \x1a $string = addslashes($string); $string = nl2br($string); // 回車轉換 $string= htmlspecialchars($string); // html標記轉換 return $string; }