Ô­ÎÄ£ºhttp://www.phpddt.com/php/228.html

£¨1£©mysql_real_escape_string -- תÒå SQL Óï¾äÖÐʹÓõÄ×Ö·û´®ÖеÄÌØÊâ×Ö·û£¬²¢¿¼Âǵ½Á¬½ÓµÄµ±Ç°×Ö·û¼¯ 

ʹÓ÷½·¨ÈçÏ£º

$sql = "select count(*) as ctr from users where username
='".mysql_real_escape_string($username)."' and 
password='". mysql_real_escape_string($pw)."' limit 1";

ʹÓàmysql_real_escape_string() ×÷ΪÓû§ÊäÈëµÄ°ü×°Æ÷£¬¾Í¿ÉÒÔ±ÜÃâÓû§ÊäÈëÖеÄÈκζñÒâ SQL ×¢Èë¡£

£¨2£© ´ò¿ªmagic_quotes_gpcÀ´·ÀÖ¹SQL×¢Èë

php.iniÖÐÓÐÒ»¸öÉèÖãºmagic_quotes_gpc = Off
¡¡¡¡Õâ¸öĬÈÏÊǹرյģ¬Èç¹ûËü´ò¿ªºó½«×Ô¶¯°ÑÓû§Ìá½»¶ÔsqlµÄ²éѯ½øÐÐת»»£¬
¡¡¡¡±ÈÈç°Ñ ' תΪ \'µÈ£¬¶ÔÓÚ·ÀÖ¹sql×¢ÉäÓÐÖØ´ó×÷Óá£

     Èç¹ûmagic_quotes_gpc=Off£¬ÔòʹÓÃaddslashes()º¯Êý

£¨3£©×Ô¶¨Ò庯Êý

function inject_check($sql_str) { 
    return eregi('select|insert|and|or|update|delete|\'|\/\*|\*|\.\.\/|\.\/|union|into|load_file|outfile', $sql_str);
} 
 
function verify_id($id=null) { 
    if(!$id) {
        exit('ûÓÐÌá½»²ÎÊý£¡'); 
    } elseif(inject_check($id)) { 
        exit('Ìá½»µÄ²ÎÊý·Ç·¨£¡');
    } elseif(!is_numeric($id)) { 
        exit('Ìá½»µÄ²ÎÊý·Ç·¨£¡'); 
    } 
    $id = intval($id); 
     
    return $id; 
} 
 
 
function str_check( $str ) { 
    if(!get_magic_quotes_gpc()) { 
        $str = addslashes($str); // ½øÐйýÂË 
    } 
    $str = str_replace("_", "\_", $str); 
    $str = str_replace("%", "\%", $str); 
     
   return $str; 
} 
 
 
function post_check($post) { 
    if(!get_magic_quotes_gpc()) { 
        $post = addslashes($post);
    } 
    $post = str_replace("_", "\_", $post); 
    $post = str_replace("%", "\%", $post); 
    $post = nl2br($post); 
    $post = htmlspecialchars($post); 
     
    return $post; 
}