SQL防注入

php

浏览数:406

2019-1-7


防注入

//防止SQL注入代码,请将该文件中前两段代码添加到自己项目index.php的最前面即可
//判断是否含有SQL注入并跳出
function sqlInj($value) {
    if (is_string($value)) {
        $arr =array('UPDATEXML','UPDATE','WHERE','EXEC','INSERT','SELECT','DELETE','COUNT','CHR','MID','MASTER','TRUNCATE','DECLARE','BIND','DROP'
        ,'CREATE',' EXP ','EXP%',' OR ','XOR',' LIKE ','NOTLIKE','NOT BETWEEN','NOTBETWEEN','BETWEEN','NOTIN','NOT IN','CONTACT','EXTRACTVALUE'
        ,'LOAD_FILE','INFORMATION_SCHEMA','INFORMATION_SCHEMA','outfile','%20','into','union');
        foreach ($arr as $a) {
            if (stripos($value, $a) !== false) exit(json_encode(array('status' => -1, 'info' => '参数错误,含有敏感字符' . $a, 'data' => array($a)), 0));
        }
    } elseif (is_array($value)) {
        foreach ($value as $v) {
            sqlInj($v);
        }
    }
}

//防止微信支付宝回调被屏蔽
if (stripos($_SERVER['PHP_SELF'], 'wxNotify') === false && stripos($_SERVER['PHP_SELF'], 'alipayNotify') === false)
    sqlInj($_REQUEST);//不是回调方法时执行防止SQL注入代码