PHP in the use of regular expression validation, anti-injection when you need to pay attention to the details

As follows: This is a regular expression that prevents some of the keywords in the data entered by the user to contain SQL

I've always thought it was right, it's not much of a problem, and it's not a problem to test myself.

Because the keyword contains and, and if the user input Andy , Khan, so you have to combine

Some of the features of SQL to modify this regular expression

Note: \s: spaces are represented in regular expressions, and the last small "I" of a regular expression indicates case-insensitive

The changes are:select,insert,update,delete These keywords, the use of the time before there may be or no space, but the following must have a space,

So it becomes [\s]*select\s

And and,or,union these, because a space must be preceded by a space to take effect

So change into \sand \s .

function Inject_check ($Sql _str) {//Check SQL injection statements, various keywords.

//The original is this:/select|insert|update|delete|and|or|\ ' |\\*|\*|\.\.\/|\.\/|union|into|load_file|outfile/i
$check =preg_match ('/[\s]*select\s|[ \s]*insert\s|                        [\s]*update\s| [\s]*delete\s|\sand\s|\sor\s|\ ' |\\*|\*|\.\.\/|\.\/|\sunion\s|\sinto\s|load_file|outfile/i ', $Sql _str);

But it's too ugly, so change it a little bit,

$check =preg_match ('/[\s]*(Select|insert|update|delete)\s|\s (and|or|join|like|regexp| Where|union|into)\s|\#|\ ' |\\*|\*|\.\.\/|\.\/|load_file|outfile/i ', $Sql _str);
if ($check) {
Echo ' <script language= "JavaScript" >alert ("warnning!! \ r \ n '. $Sql _str. ' is invalid. '); </script> ';
exit ();
}else{
return $SQL _str;
     }
}

PHP in the use of regular expression validation, anti-injection when you need to pay attention to the details