php防注入

function prepare_query($sql, $params=null)

{

$sql_block = explode(“?”, $sql);

$sp_size = sizeof($sql_block) – 1;

$param_size = sizeof($params);

 

if ( $sp_size == 0 && $params == null)

return $sql;

 

if ( ($sp_size < 1) || ($param_size < 1) || ($sp_size != $param_size) )

return “”;

 

if ($param_size == 1)

{

if ( gettype($params) == ‘string’)

{

$result = str_replace(‘?’, “‘”.$params.”‘”, $sql);

}

else if ( gettype($params) == ‘integer’)

{

$result = str_replace(‘?’, $params, $sql);

}

}

else if ($param_size > 1)

{

for ($i = 0; $i < sizeof($params); $i++)

{

if ( gettype($params[$i]) == ‘string’)

$sql_block[$i] .= “‘”.$params[$i].”‘”;

else if ( gettype($params[$i]) == ‘integer’)

$sql_block[$i] .= $params[$i];

}

 

$result = “”;

for ($i = 0; $i < $param_size; $i++)

{

$result .= $sql_block[$i];

}

}

 

return $result;

}

评论关闭。