欢迎您访问程序员文章站本站旨在为大家提供分享程序员计算机编程知识!
您现在的位置是: 首页  >  后端开发

php实现sql防止注入的几种方法

程序员文章站 2022-05-09 12:21:37
...
  1. /**
  2. * 防sql注入
  3. * @author: test@jbxue.com
  4. * */
  5. /**
  6. * reject sql inject
  7. */
  8. if (!function_exists (quote))
  9. {
  10. function quote($var)
  11. {
  12. if (strlen($var))
  13. {
  14. $var=!get_magic_quotes_gpc() ? $var : stripslashes($var);
  15. $var = str_replace("'","\'",$var);
  16. }
  17. return "'$var'";
  18. }
  19. }
  20. if (!function_exists (hash_num)){
  21. function hash_num($input)
  22. {
  23. $hash = 5381;
  24. for ($i = 0; $i {
  25. $c = ord($str{$i});
  26. $hash = (($hash }
  27. return $hash;
  28. }
  29. }
  30. ?>
复制代码

测试:

  1. /**
  2. * 防sql测试代码
  3. CREATE TABLE IF NOT EXISTS `tb` (
  4. `id` int(10) unsigned NOT NULL auto_increment,
  5. `age` tinyint(3) unsigned NOT NULL,
  6. `name` char(100) NOT NULL,
  7. `note` text NOT NULL,
  8. PRIMARY KEY (`id`)
  9. ) ENGINE=MyISAM DEFAULT CHARSET=utf8 ;
  10. **/
  11. include_once('common.php');
  12. var_dump(hash_num('dddd'));
  13. if(empty($_GET))
  14. {
  15. $_GET = array('age'=>'99','name'=>'a\'b\\\'c";','note'=>"a'b\'\nC#");
  16. }
  17. $age = (int)$_GET['age'];
  18. $name = quote($_GET['name']);
  19. $note = quote($_GET['note']);
  20. $sql = "INSERT INTO `tb` ( `age`, `name`, `note`) VALUES
  21. ( $age, $name, $note)";
  22. var_dump($sql);
  23. ?>
复制代码

#-------------------- 方法二:

  1. $magic_quotes_gpc = get_magic_quotes_gpc();

  2. @extract(daddslashes($_COOKIE));
  3. @extract(daddslashes($_POST));
  4. @extract(daddslashes($_GET));
  5. if(!$magic_quotes_gpc) {
  6. $_FILES = daddslashes($_FILES);
  7. }
  8. function daddslashes($string, $force = 0) {

  9. if(!$GLOBALS['magic_quotes_gpc'] || $force) {
  10. if(is_array($string)) {
  11. foreach($string as $key => $val) {
  12. $string[$key] = daddslashes($val, $force);
  13. }
  14. } else {
  15. $string = addslashes($string);
  16. }
  17. }
  18. return $string;
  19. }
  20. ?>
复制代码

方法三:

  1. function inject_check($sql_str) { //防止注入
  2. $check = eregi('select|insert|update|delete|'|/*|*|../|./|union|into|load_file|outfile', $sql_str);
  3. if ($check) {
  4. echo "输入非法注入内容!";
  5. exit ();
  6. } else {
  7. return $sql_str;
  8. }
  9. }
  10. function checkurl() { //检查来路
  11. if (preg_replace("/https教程?://([^:/]+).*/i", "1", $_server['http_referer']) !== preg_replace("/([^:]+).*/", "1", $_server['http_host'])) {
  12. header("location: http://s.jbxue.com");
  13. exit();
  14. }
  15. }
  16. //调用
  17. checkurl();
  18. $str = $_get['url'];
  19. inject_check($sql_str);//这条可以在获取参数时执行操作
复制代码