php¶Ôsql injectionµÄ·À·¶
¶Ôhttp request¹ýÀ´µÄÊý¾Ý£¬·²ÊǺ¬Óе¥ÒýºÅ£¬Ë«ÒýºÅ£¬·´Ð±Ïߵȶ¼½øÐмÓбÏß´¦Àí¡£·ÀÖ¹½øÐÐ×¢Èë²Ù×÷¡£
/*
¶ÂSQL©¶´
*/
function quotes($content){
//Èç¹ûmagic_quotes_gpc=Off£¬ÄÇô¾Í¿ªÊ¼´¦Àí
if (!get_magic_quotes_gpc()) {
//ÅжÏ$contentÊÇ·ñΪÊý×é
if (is_array($content)) {
//Èç¹û$contentÊÇÊý×飬ÄÇô¾Í´¦ÀíËüµÄÿһ¸öµ¥ÎÞ
foreach ($content as $key=>$value) {
$content[$key] = mysql_real_escape_string($value);
}
} else {
//Èç¹û$content²»ÊÇÊý×飬ÄÇô¾Í½ö´¦ÀíÒ»´Î
$content = mysql_real_escape_string($content);
}
}
//·µ»Ø$content
return $content;
}
µ±´«µÝ¹ýÀ´µÄ²ÎÊýÊÇÒ»¸öidµÄ»°¡£ÄÇôÎÒÃÇ¿ÉÒÔÖ±½ÓÓà $id = intval($_GET('id'));½øÐÐintÐÍ´¦Àí£¨ÓÃsettypeÒ²ÐУ©¡£
ÍøÉÏÒ²ÓÐÈËÊǶÔÆä¹Ø¼ü×Ö¹ýÂ˽øÐд¦ÀíµÄ£¬È磺
function inject_check($sql_str){
return eregi('select|insert|update|delete|\'|\/\*|\*|\.\.\/|\.\/|union|into|load_file|outfile', $sql_str); // ½øÐйýÂË
}
ÎÒ¾õµÃ´Ë·½·¨²»¿ÉÈ¡ÊÇÒòΪÎÒÔÚÒ»¸ö´óµÄÊäÈë¿òÀïPOST¹ýÀ´µÄÊý¾Ý»ò¶à»òÉÙ¶¼°üº¬ÕâЩ¹Ø¼ü×Ö£¬ÄѵÀɱһÙÓ°Ù£¿ËäÈ»ÕâÑù¸ü°²È«£¬µ«²»·½±ã¡£
ËùÒÔÎÒ²ÉÓÃÉÏÒ»¸ö·½·¨£¬Èç¹ûÉÏÒ»¸ö·½·¨ÓÐÉÏÃæ²»ºÃÖ®´¦»òÕßÒÉÎÊ£¬¿ÉÒÔÁôÑÔÌÖÂÛ¡££º£©
Ïà¹ØÎĵµ£º
ϵͳ»·¾³£ºWindows 7
Èí¼þ»·¾³£ºVisual C++ 2008 SP1 +SQL Server 2005
±¾´ÎÄ¿µÄ£º±àдһ¸öº½¿Õ¹ÜÀíϵͳ
ÕâÊÇÊý¾Ý¿â¿Î³ÌÉè¼ÆµÄ³É¹û£¬ËäÈ»³É¼¨²»¼Ñ£¬µ«ÊÇ×÷ΪÎÒÓÃVC++ ÒÔÀ´±àдµÄ×î´ó³ÌÐò»¹ÊÇ´«µ½ÍøÉÏ£¬ÒÔ¹©²Î¿¼¡£ÓÃVC++ ×öÊý¾Ý¿âÉè¼Æ²¢²»ÈÝÒ×£¬µ«Ò²²»ÊDz»¿ÉÄÜ¡£ÒÔÏÂÊÇÎҵijÌÐò½çÃ棬ºóÃæ ......
¹¦ÄÜ£º·µ»Ø×Ö·û¡¢¶þ½øÖÆ¡¢Îı¾»òͼÏñ±í´ïʽµÄÒ»²¿·Ö
Óï·¨£ºSUBSTRING ( expression, start, length )
SQL ÖÐµÄ substring º¯ÊýÊÇÓÃÀ´×¥³öÒ»¸öÀ¸Î»×ÊÁÏÖеÄÆäÖÐÒ»²¿·Ö¡£Õâ¸öº¯ÊýµÄÃû³ÆÔÚ²»Í¬µÄ×ÊÁÏ¿âÖв»ÍêÈ«Ò»Ñù£º
²ÎÊý£º
expression ×Ö·û´®¡¢¶þ½øÖÆ×Ö·û´®¡¢Î ......
CREATE FUNCTION dbo.UF_GetInvoiceSerials( @bizCode VARCHAR(10))
RETURNS VARCHAR(100)
AS
BEGIN
DECLARE @ret AS VARCHAR(1000)
SELECT @ret=Coalesce(@ret + ', ','') +
CASE e.ID
......
´æ´¢¹ý³ÌgetRecordfromPageµÄÄÚÈÝ
//getRecordfromPage.sql
if exists (select * from dbo.sysobjects where id = object_id(N'[dbo].[getRecordfromPage]') and OBJECTPROPERTY(id, N'IsProcedure') = 1)
drop procedure [dbo].[getRecordfromPage]
GO
SET QUOTED_IDENTIFIER OFF
GO
SET ANSI_NULLS OFF
G ......
