php sql anti-injection program code

SQL injection attacks refer to constructing special inputs and passing them into web applications as parameters. Most of these inputs are some combinations of SQL syntax. The main reason for this is to execute SQL statements and then perform the operations desired by the attacker. The program did not carefully filter the data entered by the user, causing illegal data to invade the system.

According to relevant technical principles, SQL injection can be divided into platform layer injection and code layer injection. The former is caused by insecure database configuration or database platform vulnerabilities; the latter is mainly caused by programmers not carefully filtering the input, thereby executing illegal data queries. Based on this, the causes of SQL injection usually manifest in the following aspects: ① Improper type processing; ② Unsafe database configuration; ③ Unreasonable query set processing; ④ Impropererror handling; ⑤ Transfer Improper handling of semantic characters; ⑥ Improper handling of multiple submissions.

This article mainly introduces a general anti-injection code.The code is as follows:

function jk1986_checksql() { $bad_str = "and|select|update|'|delete|insert|*"; $bad_Array = explode("|",$bad_str); /** 过滤Get参数 **/ foreach ($bad_Array as $bad_a) { foreach ($_GET as $g) { if (substr_count(strtolower($g),$bad_a) > 0) { echo ""; exit(); } } } /** 过滤Post参数 **/ foreach ($bad_Array as $bad_a) { foreach ($_POST as $p) { if (substr_count(strtolower($p),$bad_a) > 0) { echo ""; exit(); } } } /** 过滤Cookies参数 **/ foreach ($bad_Array as $bad_a) { foreach ($_COOKIE as $co) { if (substr_count(strtolower($co),$bad_a) > 0) { echo ""; exit(); } } } }

The above is the detailed content of php sql anti-injection program code. For more information, please follow other related articles on the PHP Chinese website!