| UTF-8 | Shift-JIS変換 | addslashes関数 | sqlSanitize自作関数 |
|---|---|---|---|
| 123 | 123 | 123 | 123 |
| -123 | -123 | -123 | -123 |
| あ | ?? | ||
| "" | "" | \"\" | \"\" |
| 表 | \ | \\ | ? |
| 表\ | \\ | \\\\ | ? |
| 表\' | \\' | \\\\\' | ? |
| 表 OR '1'='1 | \ OR '1'='1 | \\ OR \'1\'=\'1 | ?1=1 |
| \\' OR 1=1 | ?\\' OR 1=1 | ?\\\\\' OR 1=1 | ?\\\\\' OR 1=1 |
sqlSanitize自作関数
function sqlSanitize($text) {
$text = trim($text);
// 文字列がUTF-8でない場合、UTF-8に変換する
if(!mb_check_encoding($text, 'UTF-8')){
$text = str_replace(['¥¥', '/', '¥'', '"', '`',' OR '], '', $text);
$text = mb_convert_encoding($text, 'UTF-8');
}
// SQLインジェクションのための特殊文字をエスケープする
$search = array("¥¥", "¥x00", "¥n", "¥r", "'", '"', "¥x1a", "`");
$replace = array("¥¥¥¥", "¥¥0", "¥¥n", "¥¥r", "¥¥'", "¥¥¥"", "¥¥Z", "");
$text = str_replace($search, $replace, $text);
return $text;
}
テストコード
$data = ['123', '-123', 'あ', '""', '表', '表¥¥', '表¥¥¥'', "表 OR '1'='1"];
$xxx = "表¥' OR 1=1";
$data[] = mb_convert_encoding($xxx, 'Shift-JIS');
foreach($data as $str){
$str1 = mb_convert_encoding($str, 'SJIS', 'UTF-8');
$str2 = sqlSanitize($str1);
$str3 = addslashes($str1);
echo "<tr><td>{$str}</td><td>{$str1}</td><td>{$str3}</td><td style='font-weight:bold'>{$str2}</td></tr>";
}