sql注入基礎過濾
阿新 • • 發佈:2022-12-06
/**
* sql注入過濾
* @param $string 需要校驗的字元
* @param $type get post cookie
*/
public function sqlFilter($string,$type){
$getfilter="/^'|(and|or)\\b.+?(>|<|=|in|like)|\\/\\*.+?\\*\\/|<\\s*script\\b|\\bEXEC\\b|UNION.+?SELECT|UPDATE.+?SET|INSERT\\s+INTO.+?VALUES|(SELECT|DELETE).+?FROM|(CREATE|ALTER|DROP|TRUNCATE)\\s+(TABLE|DATABASE)$/i";
$postfilter="/^\\b(and|or)\\b.{1,6}?(=|>|<|\\bin\\b|\\blike\\b)|\\/\\*.+?\\*\\/|<\\s*script\\b|\\bEXEC\\b|UNION.+?SELECT|UPDATE.+?SET|INSERT\\s+INTO.+?VALUES|(SELECT|DELETE).+?FROM|(CREATE|ALTER|DROP|TRUNCATE)\\s+(TABLE|DATABASE)$/i";
$cookiefilter="/^\\b(and|or)\\b.{1,6}?(=|>|<|\\bin\\b|\\blike\\b)|\\/\\*.+?\\*\\/|<\\s*script\\b|\\bEXEC\\b|UNION.+?SELECT|UPDATE.+?SET|INSERT\\s+INTO.+?VALUES|(SELECT|DELETE).+?FROM|(CREATE|ALTER|DROP|TRUNCATE)\\s+(TABLE|DATABASE)$/i";
switch($type){
case 'post':
if(preg_match($postfilter,$string)){
die(json_encode(array('msg'=>'data valid')));
}
break;
case 'get':
if(preg_match($getfilter,$string)){
die(json_encode(array('msg'=>'data valid')));
}
break;
case 'cookie':
if(preg_match($cookiefilter,$string)){
die(json_encode(array('msg'=>'data valid')));
}
break;
}
if (!get_magic_quotes_gpc()) {
$string = stripslashes($string);
}
// $string = mysql_real_escape_string ($string); //\x00 \n \r \' " \x1a
$string = addslashes($string);
$string = nl2br($string); // 回車轉換
$string= htmlspecialchars($string); // html標記轉換
return $string;
}