PHP检查是否包含有SQL注入语句,防止注射
感觉很不错的一个PHP防SQL注入的函数,可以直接返回 true 值和 false 值,也可以直接弹出一个警告的对话框,将其应用防SQL注入的页面即可,源码简单小巧,可以防一般的 PHP SQL 注入。。源码如下:
[code lang="php"]
/*
+----------------------------------------------------------
* 函数名称:checksql()
+----------------------------------------------------------
* 函数作用:检查是否包含有SQL注入语句,防止注射,保护服务器安全
+----------------------------------------------------------
* 参数: $sql_str: 提交的变量
+----------------------------------------------------------
* 返回: 返回检测结果,1 or 0
+----------------------------------------------------------
*/
function checksql($str){
$str=strtolower($str);
if (strlen($str)>43)return 0;
if (strpos($str, 'union') !== false && preg_match('~(^
|[^a-z])union($|[^[a-z])~s', $str) != 0)return 0;
if (strpos($str, '%')!== false)return 0;
if (strpos($str, '(')!== false)return 0;
if (strpos($str, ')')!== false)return 0;
if (strpos($str, '*')!== false)return 0;
if (strpos($str, ',')!== false)return 0;
if (strpos($str, '[')!== false)return 0;
if (strpos($str, ']')!== false)return 0;
if (strpos($str, '<')!== false)return 0;
if (strpos($str, '>')!== false)return 0;
if (strpos($str, '&#')!== false)return 0;
if (strpos($str, '/')!== false)return 0;
if (strpos($str, '\\')!== false)return 0;
if (strpos($str, '{')!== false)return 0;
if (strpos($str, '}')!== false)return 0;
if (strpos($str, '\'')!== false)return 0;
if (strpos($str, '\"')!== false)return 0;
if (strpos($str, '"')!== false)return 0;
if (strpos($str, '/*') > 2 || strpos($str, '--') !== fal
se || strpos($str, '#') !== false)return 0;
if (strpos($str, 'sleep') !== false && preg_match('~(^|[
^a-z])sleep($|[^[a-z])~s', $str) != 0)return 0;
if (strpos($str, 'benchmark') !== false && preg_match('~
(^|[^a-z])benchmark($|[^[a-z])~s', $str) != 0)return 0;
if (strpos($str, 'load_file') !== false && preg_match('~
(^|[^a-z])load_file($|[^[a-z])~s', $str) != 0)return 0;
if (strpos($str, 'into outfile') !== false && preg_match
('~(^|[^a-z])into\s+outfile($|[^[a-z])~s', $str) != 0)return 0;
if (strpos($str, 'select') !== false && preg_match('~(^|
[^a-z])select($|[^[a-z])~s', $str) != 0)return 0;
if (strpos($str, '0x') !== false && preg_match('~(^0x)~s
', $str) != 0)return 0;
return 1;
}
[/code]