帮助中心 登录 官网首页

防止sql注入补丁

本补丁 由 QQ 木偶人  提供

首先在  www\Application\Common\Common\function.php 文件添加一个方法 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
/**
 * 转换SQL关键字
 *
 * @param unknown_type $string
 * @return unknown
 */
function strip_sql($string) {
    $pattern_arr array(
            "/\bunion\b/i",
            "/\bselect\b/i",
            "/\bupdate\b/i",
            "/\bdelete\b/i",
            "/\boutfile\b/i",
            "/\bor\b/i",
            "/\bchar\b/i",
            "/\bconcat\b/i",
            "/\btruncate\b/i",
            "/\bdrop\b/i",            
            "/\binsert\b/i"
            "/\brevoke\b/i"
            "/\bgrant\b/i",      
            "/\breplace\b/i"
            "/\balert\b/i"
            "/\brename\b/i",            
            "/\bmaster\b/i",
            "/\bdeclare\b/i",
            "/\bsource\b/i",
            "/\bload\b/i",
            "/\bcall\b/i"
            "/\bexec\b/i",         
            "/\bdelimiter\b/i",            
          
    );
    $replace_arr array(
            'union',
            'select',
            'update',
            'delete',
            'outfile',
            'or',
            'char',
            'concat',
            'truncate',
            'drop',            
            'insert',
            'revoke',
            'grant',
            'replace',
            'alert',
            'rename',
            'master',
            'declare',
            'source',
            'load',
            'call',                     
            'exec',         
            'delimiter',
                               
    );
 
    return is_array($string) ? array_map('strip_sql'$string) : preg_replace($pattern_arr$replace_arr$string);
}

文章未显示完整,要查看完整内容,请购买正版