sql injection À» ÇÇÇϱâ À§ÇØ single quote ¸¦ escape ½ÃÄÑÁÖ´Â Äڵ带 ÀÛ¼ºÇؾßÇÒ ÇÊ¿ä°¡ ÀÖ¾ú´Âµ¥, ¸Å¹ø ÇϳªÇϳª¿¡ ´ëÇØ mysql_real_escape_string À» È£ÃâÇØÁÖ´Â °Ç ³Ê¹«³ªµµ ¹ø°Å·Î¿ü´Ù. ¹º°¡ °£´ÜÇÏ°Ô Ã³¸®ÇÒ ¹æ¹ýÀÌ ¾øÀ»±î ÇÏ°í ã¾ÆºÃ´õ´Ï ¿Ø°É! array_map À̶ó´Â ¸¶¹ýÀÇ ÇÔ¼ö¸¦ ¹ß°ßÇÒ ¼ö ÀÖ¾ú´Ù.
function stripslashes_deep($var){ $var = is_array($var)? array_map('stripslashes_deep', $var) : stripslashes($var); return $var; } function mysql_real_escape_string_deep($var){ $var = is_array($var)? array_map('mysql_real_escape_string_deep', $var) : mysql_real_escape_string($var); return $var; } if( get_magic_quotes_gpc() ){ if( is_array($_POST) ) $_POST = array_map( 'stripslashes_deep', $_POST ); if( is_array($_GET) ) $_GET = array_map( 'stripslashes_deep', $_GET ); } if( is_array($_POST) ) $_POST = array_map( 'mysql_real_escape_string_deep', $_POST ); if( is_array($_GET) ) $_GET = array_map( 'mysql_real_escape_string_deep', $_GET);
common function µéÀ» Á¤ÀÇÇسõÀº ÆÄÀÏ ¸Ç ¾Æ·¡ Àú Äڵ带 »ðÀÔÇعö¸®´Ï sql injection µûÀ§ ÀÌÁ¦ µÎ·Á¿öÇÒ ÇÊ¿ä°¡ ¾ø¾îÁ³´Ù. ¿òÇÏÇÏÇÖ!!
p.s) ±×³É array_map ¿¡ stripslashes ³ª mysql_real_escape_string À» »ç¿ëÇÏ°Ô µÇ¸é array °¡ ³Ñ¾î¿Â °æ¿ì ¹®Á¦°¡ »ý±æ ¼ö ÀÖ¾î¼ ¾à°£ ¼öÁ¤À» Çß½À´Ï´Ù.
FREECOUNT.NET ÇÁÄ«³Ý »ý±ä³¯ 2003.12.20
Ȩ |
Ä«¿îÅÍ |
Ç÷¡½ÃºÏ |
ÇÁ¸®º¸µå |
Àü±¤ÆÇ |
À¥°øºÎ¹æ |
Ä¿¹Â´ÏƼ |
ÂÊÁöÇÔ
October 25th, 2007 at 11:54 pm
Á¶Äï¿ä!
October 26th, 2007 at 1:34 am
ÀÌ·± ¸À¿¡ ½ºÅ©¸³Æ®¸¦ ¸øµîÁö°Ú¾î¿ä. ¸¸¾à °øÅëµÇ°Ô include ÇÏ´Â ÆÄÀÏÀÌ ¾ø°í, ¼öÁ¤ÇؾßÇÒ ÆÄÀÏÀÌ ¸¹´Ù! ½Í´Ù¸é Àú·± Äڵ带 ³ÖÀº ÆÄÀÏÀ» /home/common/avoid_sql_injection.php Á¤µµ·Î ¸¸µé°í .htaccess ¿¡ ¾Æ·¡ Äڵ带 ³Ö¾îÁ൵ µÇ¿ä. +_+
php_value auto_prepend_file /home/common/avoid_sql_injection.php
¾à°£ ¾ß¸Å±ä ÇÏÁö¸¸ ÇÏÆ° array_map À̳ª auto_prepend_file °°Àº °Ç ¾Ë¾ÆµÎ¸é ´ë°Ô À¯¿ëÇÏ°Ô ½á¸ÔÀ» ¼ö ÀÖÀ» °Í °°¾Æ¿ä. ÈåÈî