/** * 参数过滤 * @param string/array $str * @return string/array */ function get_field($str){ if(empty($str)){return;} $string = preg_replace('/select | insert | update | and | in | on | left | joins | delete | \% | = | /* | * | ../ | ./ | union | from | where | group | into | load_file | outfile /','',$str); $new_str = htmlspecialchars($string, ENT_COMPAT); $return = strip_tags(str_replace(PHP_EOL.PHP_EOL, PHP_EOL,$new_str)); return $return; } $str = 'select * from table where id = 1 or name " '; echo red_field($str); 输出:*tableid1 or name "