如何编写PHP类有效防止SQL注入?
- 内容介绍
- 文章标签
- 相关推荐
本文共计283个文字,预计阅读时间需要2分钟。
phpclass SQLSafe{ private $getfilter='^|(|or)^(and|in|like|=(|=))^(*|^|/|s|script|EXEC|UNION|SELECT|UPDATE|SET|INSERT|INTO|VALUES|((SELECT|DELETE)^(FROM|CREATE|ALTER|DROP|TRUNCATE)^((TABLE|DATABASE)^))$';}
<?php class sqlsafe { private $getfilter = "'|(and|or)\\b.+?(>|<|=|in|like)|\\/\\*.+?\\*\\/|<\\s*script\\b|\\bEXEC\\b|UNION.+?SELECT|UPDATE.+?SET|INSERT\\s+INTO.+?VALUES|(SELECT|DELETE).+?FROM|(CREATE|ALTER|DROP|TRUNCATE)\\s+(TABLE|DATABASE)"; private $postfilter = "\\b(and|or)\\b.{1,6}?(=|>|<|\\bin\\b|\\blike\\b)|\\/\\*.+?\\*\\/|<\\s*script\\b|\\bEXEC\\b|UNION.+?SELECT|UPDATE.+?SET|INSERT\\s+INTO.+?VALUES|(SELECT|DELETE).+?FROM|(CREATE|ALTER|DROP|TRUNCATE)\\s+(TABLE|DATABASE)"; private $cookiefilter = "\\b(and|or)\\b.{1,6}?(=|>|<|\\bin\\b|\\blike\\b)|\\/\\*.+?\\*\\/|<\\s*script\\b|\\bEXEC\\b|UNION.+?SELECT|UPDATE.+?SET|INSERT\\s+INTO.+?VALUES|(SELECT|DELETE).+?FROM|(CREATE|ALTER|DROP|TRUNCATE)\\s+(TABLE|DATABASE)"; /** * 构造函数 */ public function __construct() { foreach($_GET as $key=>$value){$this->stopattack($key,$value,$this->getfilter);} foreach($_POST as $key=>$value){$this->stopattack($key,$value,$this->postfilter);} foreach($_COOKIE as $key=>$value){$this->stopattack($key,$value,$this->cookiefilter);} } /** * 参数检查并写日志 */ public function stopattack($StrFiltKey, $StrFiltValue, $ArrFiltReq){ if(is_array($StrFiltValue))$StrFiltValue = implode($StrFiltValue); if (preg_match("/".$ArrFiltReq."/is",$StrFiltValue) == 1){ $this->writeslog($_SERVER["REMOTE_ADDR"]." ".strftime("%Y-%m-%d %H:%M:%S")." ".$_SERVER["PHP_SELF"]." ".$_SERVER["REQUEST_METHOD"]." ".$StrFiltKey." ".$StrFiltValue); showmsg('您提交的参数非法,系统已记录您的本次操作!','',0,1); } } /** * SQL注入日志 */ public function writeslog($log){ $log_path = CACHE_PATH.'logs'.DIRECTORY_SEPARATOR.'sql_log.txt'; $ts = fopen($log_path,"a+"); fputs($ts,$log."\r\n"); fclose($ts); } } ?>
本文共计283个文字,预计阅读时间需要2分钟。
phpclass SQLSafe{ private $getfilter='^|(|or)^(and|in|like|=(|=))^(*|^|/|s|script|EXEC|UNION|SELECT|UPDATE|SET|INSERT|INTO|VALUES|((SELECT|DELETE)^(FROM|CREATE|ALTER|DROP|TRUNCATE)^((TABLE|DATABASE)^))$';}
<?php class sqlsafe { private $getfilter = "'|(and|or)\\b.+?(>|<|=|in|like)|\\/\\*.+?\\*\\/|<\\s*script\\b|\\bEXEC\\b|UNION.+?SELECT|UPDATE.+?SET|INSERT\\s+INTO.+?VALUES|(SELECT|DELETE).+?FROM|(CREATE|ALTER|DROP|TRUNCATE)\\s+(TABLE|DATABASE)"; private $postfilter = "\\b(and|or)\\b.{1,6}?(=|>|<|\\bin\\b|\\blike\\b)|\\/\\*.+?\\*\\/|<\\s*script\\b|\\bEXEC\\b|UNION.+?SELECT|UPDATE.+?SET|INSERT\\s+INTO.+?VALUES|(SELECT|DELETE).+?FROM|(CREATE|ALTER|DROP|TRUNCATE)\\s+(TABLE|DATABASE)"; private $cookiefilter = "\\b(and|or)\\b.{1,6}?(=|>|<|\\bin\\b|\\blike\\b)|\\/\\*.+?\\*\\/|<\\s*script\\b|\\bEXEC\\b|UNION.+?SELECT|UPDATE.+?SET|INSERT\\s+INTO.+?VALUES|(SELECT|DELETE).+?FROM|(CREATE|ALTER|DROP|TRUNCATE)\\s+(TABLE|DATABASE)"; /** * 构造函数 */ public function __construct() { foreach($_GET as $key=>$value){$this->stopattack($key,$value,$this->getfilter);} foreach($_POST as $key=>$value){$this->stopattack($key,$value,$this->postfilter);} foreach($_COOKIE as $key=>$value){$this->stopattack($key,$value,$this->cookiefilter);} } /** * 参数检查并写日志 */ public function stopattack($StrFiltKey, $StrFiltValue, $ArrFiltReq){ if(is_array($StrFiltValue))$StrFiltValue = implode($StrFiltValue); if (preg_match("/".$ArrFiltReq."/is",$StrFiltValue) == 1){ $this->writeslog($_SERVER["REMOTE_ADDR"]." ".strftime("%Y-%m-%d %H:%M:%S")." ".$_SERVER["PHP_SELF"]." ".$_SERVER["REQUEST_METHOD"]." ".$StrFiltKey." ".$StrFiltValue); showmsg('您提交的参数非法,系统已记录您的本次操作!','',0,1); } } /** * SQL注入日志 */ public function writeslog($log){ $log_path = CACHE_PATH.'logs'.DIRECTORY_SEPARATOR.'sql_log.txt'; $ts = fopen($log_path,"a+"); fputs($ts,$log."\r\n"); fclose($ts); } } ?>