给一个可以基本防止SQL注入的例程:function _prepare_query($args)
{
$sql = array_shift($args);
if (count($args)) {
$pieces = explode('?', $sql);
if (count($pieces) != count($args) + 1)
die('System error: query syntax'); $strip = get_magic_quotes_gpc();
$i = 0;
foreach ($args as $arg) {
if (is_null($arg) || empty($arg))
$arg = "''";
else if (is_scalar($arg)) {
if (is_string($arg)) {
if ($strip)
$arg = stripslashes($arg);
$arg = "'" . $arg . "'";
}
} else
die('System error: query parameter');
$pieces[$i++] .= $arg;
} $sql = implode('', $pieces);
}
return $sql;
}function do_query()
{
$args = func_get_args();
$sql = _prepare_query($args);
return ibase_query($sql);
}使用时这样:
do_query("select * from table1 where id=? and datein=? orderby id", $id, $aDate);
{
$sql = array_shift($args);
if (count($args)) {
$pieces = explode('?', $sql);
if (count($pieces) != count($args) + 1)
die('System error: query syntax'); $strip = get_magic_quotes_gpc();
$i = 0;
foreach ($args as $arg) {
if (is_null($arg) || empty($arg))
$arg = "''";
else if (is_scalar($arg)) {
if (is_string($arg)) {
if ($strip)
$arg = stripslashes($arg);
$arg = "'" . $arg . "'";
}
} else
die('System error: query parameter');
$pieces[$i++] .= $arg;
} $sql = implode('', $pieces);
}
return $sql;
}function do_query()
{
$args = func_get_args();
$sql = _prepare_query($args);
return ibase_query($sql);
}使用时这样:
do_query("select * from table1 where id=? and datein=? orderby id", $id, $aDate);
解决方案 »
免费领取超大流量手机卡,每月29元包185G流量+100分钟通话, 中国电信官方发货