防止sql注入的php代码!
我原来没有防止的是这样的:$link=mysqli_connect(...省略);$search=$_POST["keyword"];$query1="SELECT*FR...
我原来没有防止的是这样的:
$link=mysqli_connect(...省略);
$search=$_POST["keyword"];
$query1="SELECT * FROM Country WHERE Name LIKE '%$search%'";
$result1=mysqli_query($link,$query1);
while($line1=mysqli_fetch_array($result1,MYSQLI_ASSOC))
{
foreach ($line1 as $col_value)
{
echo "$col_value\n";
}
}
作业要求是要有防止sql注入的,用prepare这些的!!求高手帮我改一下。。。
我完全不会啊。。。
谢谢了!!!!!!
我自己改了一段代码。。。不知道算不算防注入?而且运行不出结果。。
求解答!!!!谢谢!!!!!!!!!!!!!!!
if ($stmt = mysqli_prepare($link, "SELECT Code,Name FROM Country WHERE Name LIKE '%?%'"))
{
$search=$_POST["$keyword"];
mysqli_stmt_bind_param($stmt,'s',$search);
mysqli_stmt_execute($stmt);
mysqli_stmt_bind_result($stmt, $col1, $col2);
while (mysqli_stmt_fetch($stmt))
{
printf("%s %s\n",$col1,$col2);
}
/* close statement */
mysqli_stmt_close($stmt);
} 展开
$link=mysqli_connect(...省略);
$search=$_POST["keyword"];
$query1="SELECT * FROM Country WHERE Name LIKE '%$search%'";
$result1=mysqli_query($link,$query1);
while($line1=mysqli_fetch_array($result1,MYSQLI_ASSOC))
{
foreach ($line1 as $col_value)
{
echo "$col_value\n";
}
}
作业要求是要有防止sql注入的,用prepare这些的!!求高手帮我改一下。。。
我完全不会啊。。。
谢谢了!!!!!!
我自己改了一段代码。。。不知道算不算防注入?而且运行不出结果。。
求解答!!!!谢谢!!!!!!!!!!!!!!!
if ($stmt = mysqli_prepare($link, "SELECT Code,Name FROM Country WHERE Name LIKE '%?%'"))
{
$search=$_POST["$keyword"];
mysqli_stmt_bind_param($stmt,'s',$search);
mysqli_stmt_execute($stmt);
mysqli_stmt_bind_result($stmt, $col1, $col2);
while (mysqli_stmt_fetch($stmt))
{
printf("%s %s\n",$col1,$col2);
}
/* close statement */
mysqli_stmt_close($stmt);
} 展开
展开全部
<?php
function checkIllegalWord ()
{
// 定义不允许提交的SQL命令及关键字
$words = array();
$words[] = " add ";
$words[] = " count ";
$words[] = " create ";
$words[] = " delete ";
$words[] = " drop ";
$words[] = " from ";
$words[] = " grant ";
$words[] = " insert ";
$words[] = " select ";
$words[] = " truncate ";
$words[] = " update ";
$words[] = " use ";
$words[] = "-- ";
// 判断提交的数据中是否存在以上关键字, $_REQUEST中含有所有提交数据
foreach($_REQUEST as $strGot) {
$strGot = strtolower($strGot); // 转为小写
foreach($words as $word) {
if (strstr($strGot, $word)) {
echo "您输入的内容含有非法字符!";
exit; // 退出运行
}
}
}// foreach
}
checkIllegalWord(); // 在本文件被包含时即自动调用
?>
给你个参考
function checkIllegalWord ()
{
// 定义不允许提交的SQL命令及关键字
$words = array();
$words[] = " add ";
$words[] = " count ";
$words[] = " create ";
$words[] = " delete ";
$words[] = " drop ";
$words[] = " from ";
$words[] = " grant ";
$words[] = " insert ";
$words[] = " select ";
$words[] = " truncate ";
$words[] = " update ";
$words[] = " use ";
$words[] = "-- ";
// 判断提交的数据中是否存在以上关键字, $_REQUEST中含有所有提交数据
foreach($_REQUEST as $strGot) {
$strGot = strtolower($strGot); // 转为小写
foreach($words as $word) {
if (strstr($strGot, $word)) {
echo "您输入的内容含有非法字符!";
exit; // 退出运行
}
}
}// foreach
}
checkIllegalWord(); // 在本文件被包含时即自动调用
?>
给你个参考
本回答由提问者推荐
已赞过
已踩过<
评论
收起
你对这个回答的评价是?
展开全部
//php sql防注入代码
class sqlin
{
//dowith_sql($value)
function dowith_sql($str)
{
$str = str_replace("and","",$str);
$str = str_replace("execute","",$str);
$str = str_replace("update","",$str);
$str = str_replace("count","",$str);
$str = str_replace("chr","",$str);
$str = str_replace("mid","",$str);
$str = str_replace("master","",$str);
$str = str_replace("truncate","",$str);
$str = str_replace("char","",$str);
$str = str_replace("declare","",$str);
$str = str_replace("select","",$str);
$str = str_replace("create","",$str);
$str = str_replace("delete","",$str);
$str = str_replace("insert","",$str);
$str = str_replace("'","",$str);
$str = str_replace(""","",$str);
$str = str_replace(" ","",$str);
$str = str_replace("or","",$str);
$str = str_replace("=","",$str);
$str = str_replace("%20","",$str);
//echo $str;
return $str;
}
//aticle()防SQL注入函数//php教程
function sqlin()
{
foreach ($_GET as $key=>$value)
{
$_GET[$key]=$this->dowith_sql($value);
}
foreach ($_POST as $key=>$value)
{
$_POST[$key]=$this->dowith_sql($value);
}
}
}
class sqlin
{
//dowith_sql($value)
function dowith_sql($str)
{
$str = str_replace("and","",$str);
$str = str_replace("execute","",$str);
$str = str_replace("update","",$str);
$str = str_replace("count","",$str);
$str = str_replace("chr","",$str);
$str = str_replace("mid","",$str);
$str = str_replace("master","",$str);
$str = str_replace("truncate","",$str);
$str = str_replace("char","",$str);
$str = str_replace("declare","",$str);
$str = str_replace("select","",$str);
$str = str_replace("create","",$str);
$str = str_replace("delete","",$str);
$str = str_replace("insert","",$str);
$str = str_replace("'","",$str);
$str = str_replace(""","",$str);
$str = str_replace(" ","",$str);
$str = str_replace("or","",$str);
$str = str_replace("=","",$str);
$str = str_replace("%20","",$str);
//echo $str;
return $str;
}
//aticle()防SQL注入函数//php教程
function sqlin()
{
foreach ($_GET as $key=>$value)
{
$_GET[$key]=$this->dowith_sql($value);
}
foreach ($_POST as $key=>$value)
{
$_POST[$key]=$this->dowith_sql($value);
}
}
}
更多追问追答
追问
能不能帮忙看下问题补充里面的代码为什么运行不出结果么?谢谢!
追答
$search=$_POST["$keyword"];
改成$search=$_POST[$keyword];
看看
已赞过
已踩过<
评论
收起
你对这个回答的评价是?
推荐律师服务:
若未解决您的问题,请您详细描述您的问题,通过百度律临进行免费专业咨询
