As follows: This is a regular expression that prevents some of the keywords in the data entered by the user to contain SQL
I've always thought it was right, it's not much of a problem, and it's not a problem to test myself.
Because the keyword contains and, and if the user input Andy , Khan, so you have to combine
Some of the features of SQL to modify this regular expression
Note: \s: spaces are represented in regular expressions, and the last small "I" of a regular expression indicates case-insensitive
The changes are:select,insert,update,delete These keywords, the use of the time before there may be or no space, but the following must have a space,
So it becomes [\s]*select\s
And and,or,union these, because a space must be preceded by a space to take effect
So change into \sand \s .
function Inject_check ($Sql _str) {//Check SQL injection statements, various keywords.
//The original is this:/select|insert|update|delete|and|or|\ ' |\\*|\*|\.\.\/|\.\/|union|into|load_file|outfile/i
$check =preg_match ('/[\s]*select\s|[ \s]*insert\s| [\s]*update\s| [\s]*delete\s|\sand\s|\sor\s|\ ' |\\*|\*|\.\.\/|\.\/|\sunion\s|\sinto\s|load_file|outfile/i ', $Sql _str);
But it's too ugly, so change it a little bit,
$check =preg_match ('/[\s]*(Select|insert|update|delete)\s|\s (and|or|join|like|regexp| Where|union|into)\s|\#|\ ' |\\*|\*|\.\.\/|\.\/|load_file|outfile/i ', $Sql _str);
if ($check) {
Echo ' <script language= "JavaScript" >alert ("warnning!! \ r \ n '. $Sql _str. ' is invalid. '); </script> ';
exit ();
}else{
return $SQL _str;
}
}
PHP in the use of regular expression validation, anti-injection when you need to pay attention to the details