万能写入sql语句,并且防注入
生活随笔
收集整理的這篇文章主要介紹了
万能写入sql语句,并且防注入
小編覺得挺不錯(cuò)的,現(xiàn)在分享給大家,幫大家做個(gè)參考.
通過perpare()方法和檢查字段防sql注入.
$pdo=new PDO('mysql:host=localhost;dbname=scms', 'root' ); $_POST=array('title'=>23,'content'=>'kmm'); $keys= array_keys($_POST); /*** $filetarr數(shù)組用于規(guī)定只可以寫入的字段*/ $filetarr=array('title','content'); /***$tableName表的名字*/ $tableName='article'; $filtre=true; foreach ($keys as $value){if(in_array($value, $filetarr,true)){}else{//var_dump($value);$filtre=false;break;} }if($filtre){$fields=implode(',', $keys);$fieldszwh=':'.implode(',:', $keys);$sql="insert into {$tableName}({$fields}) values({$fieldszwh})";$pdostatement= $pdo->prepare($sql);$pdostatement->execute($_POST);var_dump($pdostatement->errorInfo()); }else{echo '非法字段'; }
$_POST=array('title'=>23,'content'=>'km'); $keys= array_keys($_POST); /*** $filetarr數(shù)組用于規(guī)定只可以寫入的字段*/ $filetarr=array('title','content'); /***$tableName表名*/ $tableName='article'; $filtre=true; $where=''; /***$wherearr數(shù)組用來根據(jù)字段指定查詢條件,例如大于,等于,like*/ $wherearr=array('title'=>'like','content'=>'>%'); foreach ($keys as $value){if(in_array($value, $filetarr,true)){if($wherearr[$value]==='between'){ if(count(explode(',', $_POST[$value]))===1){ break; } $where.='and '.$value.' between '.":{$value}left".' and '.":{$value}right "; $_POST[$value]=explode(',', $_POST[$value]); $_POST[$value.'left']=$_POST[$value][0]; $_POST[$value.'right']=$_POST[$value][1]; unset($_POST[$value]); }else{$where.='and '.$value.' '.$wherearr[$value].' '.":{$value} ";}}else{//var_dump($value);$filtre=false;break;} } /****如果用or連接條件語句,截取前面兩個(gè)字符*/ $where=substr($where,3); if($filtre){$fields=implode(',', $keys);$fieldszwh=':'.implode(',:', $keys);$sql="select * from {$tableName} where {$where}";var_dump($sql);$pdostatement= $pdo->prepare($sql);$pdostatement->execute($_POST); $re= $pdostatement->fetchAll(); var_dump($pdostatement->errorInfo()); var_dump($_POST); var_dump($re); }else{echo '非法字段'; }
$pdo=new PDO('mysql:host=localhost;dbname=scms', 'root' ); $_POST=array('title'=>23,'content'=>'kmm'); $keys= array_keys($_POST); /*** $filetarr數(shù)組用于規(guī)定只可以寫入的字段*/ $filetarr=array('title','content'); /***$tableName表的名字*/ $tableName='article'; $filtre=true; foreach ($keys as $value){if(in_array($value, $filetarr,true)){}else{//var_dump($value);$filtre=false;break;} }if($filtre){$fields=implode(',', $keys);$fieldszwh=':'.implode(',:', $keys);$sql="insert into {$tableName}({$fields}) values({$fieldszwh})";$pdostatement= $pdo->prepare($sql);$pdostatement->execute($_POST);var_dump($pdostatement->errorInfo()); }else{echo '非法字段'; }
?
2.萬能條件語句,同樣通過字段限制防注入
$pdo=new PDO('mysql:host=localhost;dbname=scms', 'root' );$_POST=array('title'=>23,'content'=>'km'); $keys= array_keys($_POST); /*** $filetarr數(shù)組用于規(guī)定只可以寫入的字段*/ $filetarr=array('title','content'); /***$tableName表名*/ $tableName='article'; $filtre=true; $where=''; /***$wherearr數(shù)組用來根據(jù)字段指定查詢條件,例如大于,等于,like*/ $wherearr=array('title'=>'like','content'=>'>%'); foreach ($keys as $value){if(in_array($value, $filetarr,true)){if($wherearr[$value]==='between'){ if(count(explode(',', $_POST[$value]))===1){ break; } $where.='and '.$value.' between '.":{$value}left".' and '.":{$value}right "; $_POST[$value]=explode(',', $_POST[$value]); $_POST[$value.'left']=$_POST[$value][0]; $_POST[$value.'right']=$_POST[$value][1]; unset($_POST[$value]); }else{$where.='and '.$value.' '.$wherearr[$value].' '.":{$value} ";}}else{//var_dump($value);$filtre=false;break;} } /****如果用or連接條件語句,截取前面兩個(gè)字符*/ $where=substr($where,3); if($filtre){$fields=implode(',', $keys);$fieldszwh=':'.implode(',:', $keys);$sql="select * from {$tableName} where {$where}";var_dump($sql);$pdostatement= $pdo->prepare($sql);$pdostatement->execute($_POST); $re= $pdostatement->fetchAll(); var_dump($pdostatement->errorInfo()); var_dump($_POST); var_dump($re); }else{echo '非法字段'; }
?
轉(zhuǎn)載于:https://www.cnblogs.com/zuoxiaobing/p/3687824.html
總結(jié)
以上是生活随笔為你收集整理的万能写入sql语句,并且防注入的全部內(nèi)容,希望文章能夠幫你解決所遇到的問題。
- 上一篇: linux bash 学习
- 下一篇: CentOS通过DNSpod实现动态域名