<?
//过滤函数
function inject_check($sql_str) {
$check=e*regi('s*elect|i*nsert|u*pdate|d*elete|'|/*|*|../|./|u*nion|i*nto|l*oad_file|o*utfile',
$sql_str); // 进行过滤
if($check){
echo "你输入非法字符!";
exit();
}else{
return
$sql_str;
}
}
//调用函数
$_GET[id] = inject_check($_GET[id]);
$sql = "s*elect * f*rom `tabel` where `id` ='$_GET[id]'";
echo $sql;
?>