php+mysql如何防止sql注入
<p>方法:</p><p> 1、预处理。(预处理语句针对SQL注入是非常有用的,因为参数值发送后使用不同的协议,保证了数据的合法性。)</p>
<p> 2、mysql_real_escape_string -- 转义 SQL 语句中使用的字符串中的特殊字符,并考虑到连接的当前字符集 !</p>
<p> </p>
<div class="cnblogs_code">
<pre><span style="color: rgba(128, 0, 128, 1)">$sql</span> = "<span style="color: rgba(0, 0, 0, 1)">select count(*) as ctr from users where username
='</span>".<span style="color: rgba(0, 128, 128, 1)">mysql_real_escape_string</span>(<span style="color: rgba(128, 0, 128, 1)">$username</span>)."<span style="color: rgba(0, 0, 0, 1)">' and
password='</span>". <span style="color: rgba(0, 128, 128, 1)">mysql_real_escape_string</span>(<span style="color: rgba(128, 0, 128, 1)">$pw</span>)."' limit 1";</pre>
</div>
<p> 3、打开magic_quotes_gpc来防止SQL注入。php.ini中有一个设置:magic_quotes_gpc = Off这个默认是关闭的,如果它打开后将自动把用户提交对sql的查询进行转换,比如把 ' 转为 \'等,对于防止sql注射有重大作用。</p>
<p> 如果magic_quotes_gpc=Off,则使用addslashes()函数。</p>
<p> 4、自定义函数:</p>
<p> </p>
<div class="cnblogs_code">
<pre><span style="color: rgba(0, 128, 0, 1)">/*</span><span style="color: rgba(0, 128, 0, 1)">*
* 防止sql注入自定义方法一
* author: xiaochuan
* @param: mixed $value 参数值
</span><span style="color: rgba(0, 128, 0, 1)">*/</span>
<span style="color: rgba(0, 0, 255, 1)">function</span> check_param(<span style="color: rgba(128, 0, 128, 1)">$value</span>=<span style="color: rgba(0, 0, 255, 1)">null</span><span style="color: rgba(0, 0, 0, 1)">) {
</span><span style="color: rgba(0, 128, 0, 1)">#</span><span style="color: rgba(0, 128, 0, 1)">select|insert|update|delete|\'|\/\*|\*|\.\.\/|\.\/|union|into|load_file|outfile</span>
<span style="color: rgba(128, 0, 128, 1)">$str</span> = 'select|insert|and|or|update|delete|\'|\/\*|\*|\.\.\/|\.\/|union|into|load_file|outfile'<span style="color: rgba(0, 0, 0, 1)">;
</span><span style="color: rgba(0, 0, 255, 1)">if</span>(!<span style="color: rgba(128, 0, 128, 1)">$value</span><span style="color: rgba(0, 0, 0, 1)">) {
</span><span style="color: rgba(0, 0, 255, 1)">exit</span>('没有参数!'<span style="color: rgba(0, 0, 0, 1)">);
}</span><span style="color: rgba(0, 0, 255, 1)">elseif</span>(<span style="color: rgba(0, 128, 128, 1)">eregi</span>(<span style="color: rgba(128, 0, 128, 1)">$str</span>, <span style="color: rgba(128, 0, 128, 1)">$value</span><span style="color: rgba(0, 0, 0, 1)">)) {
</span><span style="color: rgba(0, 0, 255, 1)">exit</span>('参数非法!'<span style="color: rgba(0, 0, 0, 1)">);
}
</span><span style="color: rgba(0, 0, 255, 1)">return</span> <span style="color: rgba(0, 0, 255, 1)">true</span><span style="color: rgba(0, 0, 0, 1)">;
}
</span><span style="color: rgba(0, 128, 0, 1)">/*</span><span style="color: rgba(0, 128, 0, 1)">*
* 防止sql注入自定义方法二
* author: xiaochuan
* @param: mixed $value 参数值
</span><span style="color: rgba(0, 128, 0, 1)">*/</span>
<span style="color: rgba(0, 0, 255, 1)">function</span> str_check( <span style="color: rgba(128, 0, 128, 1)">$value</span><span style="color: rgba(0, 0, 0, 1)"> ) {
</span><span style="color: rgba(0, 0, 255, 1)">if</span>(!<span style="color: rgba(0, 128, 128, 1)">get_magic_quotes_gpc</span><span style="color: rgba(0, 0, 0, 1)">()) {
</span><span style="color: rgba(0, 128, 0, 1)">//</span><span style="color: rgba(0, 128, 0, 1)"> 进行过滤 </span>
<span style="color: rgba(128, 0, 128, 1)">$value</span> = <span style="color: rgba(0, 128, 128, 1)">addslashes</span>(<span style="color: rgba(128, 0, 128, 1)">$value</span><span style="color: rgba(0, 0, 0, 1)">);
}
</span><span style="color: rgba(128, 0, 128, 1)">$value</span> = <span style="color: rgba(0, 128, 128, 1)">str_replace</span>("_", "\_", <span style="color: rgba(128, 0, 128, 1)">$value</span><span style="color: rgba(0, 0, 0, 1)">);
</span><span style="color: rgba(128, 0, 128, 1)">$value</span> = <span style="color: rgba(0, 128, 128, 1)">str_replace</span>("%", "\%", <span style="color: rgba(128, 0, 128, 1)">$value</span><span style="color: rgba(0, 0, 0, 1)">);
</span><span style="color: rgba(0, 0, 255, 1)">return</span> <span style="color: rgba(128, 0, 128, 1)">$value</span><span style="color: rgba(0, 0, 0, 1)">;
}
</span><span style="color: rgba(0, 128, 0, 1)">/*</span><span style="color: rgba(0, 128, 0, 1)">*
* 防止sql注入自定义方法三
* author: xiaochuan
* @param: mixed $value 参数值
</span><span style="color: rgba(0, 128, 0, 1)">*/</span>
<span style="color: rgba(0, 0, 255, 1)">function</span> post_check(<span style="color: rgba(128, 0, 128, 1)">$value</span><span style="color: rgba(0, 0, 0, 1)">) {
</span><span style="color: rgba(0, 0, 255, 1)">if</span>(!<span style="color: rgba(0, 128, 128, 1)">get_magic_quotes_gpc</span><span style="color: rgba(0, 0, 0, 1)">()) {
</span><span style="color: rgba(0, 128, 0, 1)">//</span><span style="color: rgba(0, 128, 0, 1)"> 进行过滤</span>
<span style="color: rgba(128, 0, 128, 1)">$value</span> = <span style="color: rgba(0, 128, 128, 1)">addslashes</span>(<span style="color: rgba(128, 0, 128, 1)">$value</span><span style="color: rgba(0, 0, 0, 1)">);
}
</span><span style="color: rgba(128, 0, 128, 1)">$value</span> = <span style="color: rgba(0, 128, 128, 1)">str_replace</span>("_", "\_", <span style="color: rgba(128, 0, 128, 1)">$value</span><span style="color: rgba(0, 0, 0, 1)">);
</span><span style="color: rgba(128, 0, 128, 1)">$value</span> = <span style="color: rgba(0, 128, 128, 1)">str_replace</span>("%", "\%", <span style="color: rgba(128, 0, 128, 1)">$value</span><span style="color: rgba(0, 0, 0, 1)">);
</span><span style="color: rgba(128, 0, 128, 1)">$value</span> = <span style="color: rgba(0, 128, 128, 1)">nl2br</span>(<span style="color: rgba(128, 0, 128, 1)">$value</span><span style="color: rgba(0, 0, 0, 1)">);
</span><span style="color: rgba(128, 0, 128, 1)">$value</span> = <span style="color: rgba(0, 128, 128, 1)">htmlspecialchars</span>(<span style="color: rgba(128, 0, 128, 1)">$value</span><span style="color: rgba(0, 0, 0, 1)">);
</span><span style="color: rgba(0, 0, 255, 1)">return</span> <span style="color: rgba(128, 0, 128, 1)">$value</span><span style="color: rgba(0, 0, 0, 1)">;
}</span></pre>
</div>
<p> </p><br><br>
来源:https://www.cnblogs.com/573734817pc/p/11239410.html
頁:
[1]