php防Sql注入函数
来源:本站整理 发布时间:2015-02-14 人气:34
最新php防Sql注入函数
以下是三零网为大家整理的最新php防Sql注入函数的文章,希望大家能够喜欢!
传入用户提交的参数时使用这段代码提供的函数先对参数进行处理,然后传入sql语句,
用:
mysqlquery("INSERT INTO table VALUES('" . sqlsanitize($_POST["variable") . "')");
替代:
mysqlquery("INSERT INTO table VALUES('" . $POST["variable"] . "'");
/*
Function: sql_sanitize( $sCode )
Description: "Sanitize" a string of SQL code to prevent SQL injection.
Parameters: $sCode
The SQL code which you wish to sanitize.
Example: mysql_query('UPDATE table SET value="' . sql_sanitize("' SET id='4'") . '" WHERE id="1"');
Requirements: PHP version 4 or greater
Notes:
Author: engel <engel@engel.uk.to>
*/
function sql_sanitize( $sCode ) {
if ( function_exists( "mysql_real_escape_string" ) ) { // If PHP version > 4.3.0
$sCode = mysql_real_escape_string( $sCode ); // Escape the MySQL string.
} else { // If PHP version < 4.3.0
$sCode = addslashes( $sCode ); // Precede sensitive characters with a backslash \
}
return $sCode; // Return the sanitized code
}
|
延伸阅读:
|