Discuz's PHP prevents SQL injection functions
- 2020-03-31 21:33:02
- OfStack
Recently, I was working on a topic voting website. The client knows something about the program. There are special requirements to filter some characters to prevent SQL injection. There has been no special research in this area. Oh, and carry forward a return to the doctrine. Discuz forum SQL anti - injection function to take!
You can enhance the following code to protect the security of the server, PHP prevent SQL injection security function is very important!
$magic_quotes_gpc = get_magic_quotes_gpc();
@extract(daddslashes($_COOKIE));
@extract(daddslashes($_POST));
@extract(daddslashes($_GET));
if(!$magic_quotes_gpc) {
$_FILES = daddslashes($_FILES);
}
function daddslashes($string, $force = 0) {
if(!$GLOBALS['magic_quotes_gpc'] || $force) {
if(is_array($string)) {
foreach($string as $key => $val) {
$string[$key] = daddslashes($val, $force);
}
} else {
$string = addslashes($string);
}
}
return $string;
}
You can enhance the following code to protect the security of the server, PHP prevent SQL injection security function is very important!
function inject_check($sql_str) {
return eregi('select|insert|and|or|update|delete|'|/*|*|../|./|union|into|load_file|outfile', $sql_str); //filtering
}
function verify_id($id=null) {
if (!$id) { exit(' No submitted parameters! '); } //Whether or not it is null
elseif (inject_check($id)) { exit(' The submitted parameter is illegal! '); } //Injection of judgment
elseif (!is_numeric($id)) { exit(' The submitted parameter is illegal! '); } //Digital judgment
$id = intval($id); //Integer,
return $id;
}
function str_check( $str ) {
if (!get_magic_quotes_gpc()) { //Determines whether magic_quotes_gpc is open
$str = addslashes($str); //filtering
}
$str = str_replace("_", "_", $str); //Filter out the '_'
$str = str_replace("%", "%", $str); //Filter out the '%'
return $str;
}
function post_check($post) {
if (!get_magic_quotes_gpc()) { //Determines whether magic_quotes_gpc is open
$post = addslashes($post); //Filter the submitted data if magic_quotes_gpc is not turned on
}
$post = str_replace("_", "_", $post); //Filter out the '_'
$post = str_replace("%", "%", $post); //Filter out the '%'
$post = nl2br($post); //Enter conversion
$post = htmlspecialchars($post); //HTML tag conversion
return $post;
}