sql防注入详细说明与代码

最近在做一个主题投票网站,客户懂一些程序方面的东西。有特别要求需要过滤一些字符防止sql注入

$magic_quotes_gpc =
get_magic_quotes_gpc();@extract(daddslashes($_cookie));@extract(daddslashes($_post));@extract(daddslashes($_get));if(!$magic_quotes_gpc)
{$_files = daddslashes($_files);}function daddslashes($string,
$force = 0) {if(!$globals[‘magic_quotes_gpc’] || $force)
{if(is_array($string)) {foreach($string as $key = $val)
{$string[$key] = daddslashes($val, $force);}} else {$string =
addslashes($string);}}return $string;}

下面是一款asp教程 sql防注入函数

%dim sql_injdatasql_injdata =
‘|and|exec|insert|select|delete|update|count|*|%|chr|mid|master|truncate|char|declaresql_inj
= split(sql_injdata,|)if request.querystring thenfor each sql_get in
request.querystringfor sql_data=0 to ubound(sql_inj)if
instr(request.querystring(sql_get),sql_inj(sql_data))0
thenresponse.write script
language=网页特效alert(‘注意:请不要提交非法请求!’);history.back(-1)/scriptresponse.endend
ifnextnextend ifif request.form thenfor each sql_post in
request.formfor sql_data=0 to ubound(sql_inj)if
instr(request.form(sql_post),sql_inj(sql_data))0 thenresponse.write
script
language=javascriptalert(‘注意:请不要提交非法请求!’);history.back(-1)/scriptresponse.endend
ifnextnextend if%

在数据库教程时就进行函数调用

防注入就是过滤特殊字符和sql命令哦如下

防跨站的代码我就不提供了.

sub f_sql() dim q_post,q_get,q_in,q_inf,i ‘q_in =
‘|and|exec|insert|select|delete|update|count|*|chr|mid|master|truncate|char|declare
‘定义不能通过的字符, q_in =
‘|exec|insert|select|delete|update|*|chr|truncate|declare|’

q_inf = split(q_in , |)

发表评论

电子邮件地址不会被公开。 必填项已用*标注