php預(yù)防sql注入漏洞的方法:
利用magic_quotes_gpc指令或它的搭擋addslashes()函數(shù)進(jìn)行過濾,例如:
<?php//php防注入和XSS攻擊通用過濾
$_GET && SafeFilter($_GET);
$_POST && SafeFilter($_POST);
$_COOKIE && SafeFilter($_COOKIE);
function SafeFilter (&$arr)
{
$ra=Array('/([\x00-\x08,\x0b-\x0c,\x0e-\x19])/','/script/','/javascript/','/vbscript/','/expression/','/applet/'
,'/meta/','/xml/','/blink/','/link/','/style/','/embed/','/object/','/frame/','/layer/','/title/','/bgsound/'
,'/base/','/onload/','/onunload/','/onchange/','/onsubmit/','/onreset/','/onselect/','/onblur/','/onfocus/',
'/onabort/','/onkeydown/','/onkeypress/','/onkeyup/','/onclick/','/ondblclick/','/onmousedown/','/onmousemove/'
,'/onmouseout/','/onmouseover/','/onmouseup/','/onunload/');
if (is_array($arr))
{
foreach ($arr as $key => $value)
{
if (!is_array($value))
{
if (!get_magic_quotes_gpc()) //不對magic_quotes_gpc轉(zhuǎn)義過的字符使用addslashes(),避免雙重轉(zhuǎn)義��。
{
$value = addslashes($value); //給單引號(')�����、雙引號(")���、反斜線(\)與 NUL(NULL 字符)
加上反斜線轉(zhuǎn)義
}
$value = preg_replace($ra,'',$value); //刪除非打印字符����,粗暴式過濾xss可疑字符串
$arr[$key] = htmlentities(strip_tags($value)); //去除HTML和PHP標(biāo)記并轉(zhuǎn)換為HTML實(shí)體
}
else
{
SafeFilter($arr[$key]);
}
}
}
}
?>
