传入用户提交的参数时使用这段代码提供的函数先对参数进行处理,然后传入sql语句,
用:
mysqlquery(“INSERT INTO table VALUES(‘” . sqlsanitize($_POST[“variable”) . “‘)”);
替代:
mysqlquery(“INSERT INTO table VALUES(‘” . $POST[“variable”] . “‘”);
/* Function: sql_sanitize( $sCode ) Description: "Sanitize" a string of SQL code to prevent SQL injection. Parameters: $sCode The SQL code which you wish to sanitize. Example: mysql_query('UPDATE table SET value="' . sql_sanitize("' SET id='4'") . '" WHERE id="1"'); Requirements: PHP version 4 or greater Notes: Author: engel <engel@engel.uk.to> */ function sql_sanitize( $sCode ) { if ( function_exists( "mysql_real_escape_string" ) ) { // If PHP version > 4.3.0 $sCode = mysql_real_escape_string( $sCode ); // Escape the MySQL string. } else { // If PHP version < 4.3.0 $sCode = addslashes( $sCode ); // Precede sensitive characters with a backslash \ } return $sCode; // Return the sanitized code }