Created
April 28, 2013 10:31
-
-
Save qzchenwl/5476524 to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?php | |
| $param1 = "哈哈1\t𤭢2\\3\""; | |
| $param2 = "10"; | |
| $param11 = "哈\xd5\"哈1\t𤭢2\\3\""; | |
| $param22 = "10 union 1,2"; | |
| $sql1 = "select * from user where username=" . literal($param1) . " and age=" . literal(intval($param2)); | |
| $sql2 = "select * from user where username=" . literal($param1) . " and age=" . literal($param2); | |
| $sql3 = "select * from user where username=" . literal($param11) . " and age=" . literal(intval($param2)); | |
| $sql4 = "select * from user where username=" . literal($param11) . " and age=" . literal($param22); | |
| $sql5 = "select * from user where username=" . literal($param11) . " and age=" . literal(intval($param22)); | |
| echo $sql1, "\n"; | |
| echo $sql2, "\n"; | |
| echo $sql3, "\n"; | |
| echo $sql4, "\n"; | |
| echo $sql5, "\n"; | |
| /** | |
| * 将php的字符串转换成UTF8字符数组 | |
| */ | |
| function stringToUTF8Array($str) { | |
| // 这里假设$str是utf8编码的,如果是gbk,需要用iconv("gbk", "utf8//IGNORE", $str)转换 | |
| $i = 0; | |
| $j = 0; | |
| $len = strlen($str); | |
| $array = array(); | |
| while($i < $len) { | |
| $byte = ord($str[$i]); | |
| // start with 0xxx xxxx, utf8 char has 1 byte | |
| if (($byte & 0x80) == 0x00) { | |
| $array[$j++] = $str[$i]; | |
| $i = $i + 1; | |
| continue; | |
| } | |
| // start with 110x xxxx, utf8 char has 2 bytes | |
| if (($byte & 0xE0) == 0xC0) { | |
| if ($i + 1 >= $len) break; | |
| $array[$j++] = $str[$i] . $str[$i + 1]; | |
| $i = $i + 2; | |
| continue; | |
| } | |
| // start with 1110 xxxx, utf8 char has 3 bytes | |
| if (($byte & 0xF0) == 0xE0) { | |
| if ($i + 2 >= $len) break; | |
| $array[$j++] = $str[$i] . $str[$i + 1] . $str[$i + 2]; | |
| $i = $i + 3; | |
| continue; | |
| } | |
| // start with 1111 0xxx, utf8 char has 4 bytes | |
| if (($byte & 0xF8) == 0xF0) { | |
| if ($i + 3 >= $len) break; | |
| $array[$j++] = $str[$i] . $str[$i + 1] . $str[$i + 2] . $str[$i + 3]; | |
| $i = $i + 4; | |
| continue; | |
| } | |
| // start with 1111 10xx, utf8 char has 5 bytes | |
| if (($byte & 0xFC) == 0xF8) { | |
| if ($i + 4 >= $len) break; | |
| $array[$j++] = $str[$i] . $str[$i + 1] . $str[$i + 2] . $str[$i + 3] . $str[$i + 4]; | |
| $i = $i + 5; | |
| continue; | |
| } | |
| // start with 1111 110x, utf8 char has 6 bytes | |
| if (($byte & 0xFE) == 0xFC) { | |
| if ($i + 5 >= $len) break; | |
| $array[$j++] = $str[$i] . $str[$i+1] . $str[$i+2] . $str[$i+3] . $str[$i+4] . $str[$i+5]; | |
| $i = $i + 6; | |
| continue; | |
| } | |
| // utf8 string should never reach here | |
| $i ++; | |
| } | |
| return $array; | |
| } | |
| /** | |
| * 返回$var值在代码中的表现形式 | |
| * 比如对于字符串"hello",返回"\"hello\"" | |
| * 对于整型值10,返回"10" | |
| */ | |
| function literal($var) { | |
| if (!is_scalar($var)) { | |
| print_r($var); | |
| throw new Exception("literal function expects a scalar"); | |
| } | |
| if (is_string($var)) { | |
| return literalUTF8String($var); | |
| } | |
| if (is_bool($var)) { | |
| return ($var) ? "true" : "false"; | |
| } | |
| return strval($var); | |
| } | |
| function literalUTF8String($str) { | |
| $array = stringToUTF8Array($str); | |
| $len = count($array); | |
| $res = "\""; | |
| for($i = 0; $i < $len; $i++) { | |
| $res = $res . literalUTF8Char($array[$i]); | |
| } | |
| $res = $res . "\""; | |
| return $res; | |
| } | |
| function literalUTF8Char($str) { | |
| if (strlen($str) == 1) { | |
| if ($str == "\\") { | |
| return "\\\\"; | |
| } | |
| else if ($str == "\"") { | |
| return "\\\""; | |
| } | |
| else { | |
| return $str; | |
| } | |
| } | |
| else { | |
| return $str; | |
| } | |
| } | |
| ?> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment