php 过滤特殊字符及sql防注入代码

2024-05-01 11:11•php•阅读 2071

<?php

//方法一

//过滤',",sql语名

addslashes();

//方法二，去除所有html标签

strip_tags();

//方法三过滤可能产生代码

function php_sava($str)

{

$farr = array(

"/s+/",

"/<(/?)(script|i?frame|style|html|body|title|link|meta|?|%)([^>]*?)>/isU",

"/(<[^>]*)on[a-zA-Z]+s*=([^>]*>)/isU",

);

$tarr = array(

" ",

"＜＞", //如果要直接清除不安全的标签，这里可以留空

"",

);

$str = preg_replace( $farr,$tarr,$str);

return $str;

}

//php sql防注入代码

class sqlin

{

//dowith_sql($value)

function dowith_sql($str)

{

$str = str_replace("and","",$str);

$str = str_replace("execute","",$str);

$str = str_replace("update","",$str);

$str = str_replace("count","",$str);

$str = str_replace("chr","",$str);

$str = str_replace("mid","",$str);

$str = str_replace("master","",$str);

$str = str_replace("truncate","",$str);

$str = str_replace("char","",$str);

$str = str_replace("declare","",$str);

$str = str_replace("select","",$str);

$str = str_replace("create","",$str);

$str = str_replace("delete","",$str);

$str = str_replace("insert","",$str);

$str = str_replace("'","",$str);

$str = str_replace(""","",$str);

$str = str_replace(" ","",$str);

$str = str_replace("or","",$str);

$str = str_replace("=","",$str);

$str = str_replace("%20","",$str);

//echo $str;

return $str;

}

//aticle()防SQL注入函数//php教程

function sqlin()

{

foreach ($_GET as $key=>$value)

{

$_GET[$key]=$this->dowith_sql($value);

}

foreach ($_POST as $key=>$value)

{

$_POST[$key]=$this->dowith_sql($value);

}

}

}

$dbsql=new sqlin();

?>

===================================================================================

使用方式：

将以上代码复制新建一个sqlin.php的文件，然后包含在有GET或者POST数据接收的页面

原理：

将所有的SQL关键字替换为空

本代码在留言本中不能使用，若要在留言本中使用请替换其中的

.......

$str = str_replace("and","",$str);

到

$str = str_replace("%20","",$str);

...

的代码为:

$str = str_replace("and","and",$str);

$str = str_replace("execute","execute",$str);

$str = str_replace("update","update",$str);

$str = str_replace("count","count",$str);

$str = str_replace("chr","chr",$str);

$str = str_replace("mid","mid",$str);

$str = str_replace("master","master",$str);

$str = str_replace("truncate","truncate",$str);

$str = str_replace("char","char",$str);

$str = str_replace("declare","declare",$str);

$str = str_replace("select","select",$str);

$str = str_replace("create","create",$str);

$str = str_replace("delete","delete",$str);

$str = str_replace("insert","insert",$str);

$str = str_replace("'","'",$str);

$str = str_replace(""",""",$str);

?>

上一篇 »web安全攻防笔记
下一篇 »Linux系统——特殊符号、通配符及正则表达式