SQL injection and escape PHP function code _php Tips

SQL injection:

Under normal circumstances:

delete.php?id=3;
$sql = ' Delete from news where id = '. $_get[' id '];

Malicious situation:

delete.php?id=3 or 1;
$sql = ' Delete from news where id = 3 or 1 '; When-------do so, all records will be deleted

Relevant measures should be taken ... For example, before using the first to determine whether the number and so on.

To make yourself believe that the message from the client is always unreliable!!

Escape:

Sometimes the data from the client, may maliciously contain some special characters, such as single quotes, slashes, etc., so need to escape, escape into ordinary characters, this time to use String addslashes (String $str), this function can be escaped for a variable. However, if the elements in the array are escaped, use the Foreach Loop array, as follows:

Copy Code code as follows:

foreach ($_post as $k => $v) {
if (is_string ($v)) {
$_post[$k] = addslashes ($v);
}
}

But if the array also contains an array, it will be escaped recursively, using the

Array_walk_recursive (Array & $input, callback $funcname [, mixed $userdata])

Applies the user-defined function funcname to each cell in an array. This function recursively goes to a deeper array. Typically, the funcname accepts two parameters. The value of the input parameter is the first, and the key name is the second. If an optional parameter userdata is provided, it is passed as the third argument to callback funcname. Returns TRUE on success or FALSE on failure

That is to say: with a custom function, you must receive at least two parameters, and addslashes () can only receive one parameter, so customize a function as follows:

Copy Code code as follows:

Function A (& $v, $k) {
$v =addslashes ($v);
}
Array_walk_recursive (& $arr, ' a ');

System Automatic Escape:

PHP, there is a magic quote concept, how to open? A: In PHP.ini, Magic_quotes_gpc=on, restart Apache

Magic quotes are opened, the system will automatically escape the $_get,$_post,$_cookie data, in the unwitting case, the manual escape again, it turned more, to be reasonable to escape, we must first judge, whether the magic symbol has been opened, with Magic_quotes _GPC () to judge, does not need to pass the value, closes returns 0, closes returns 1

Copy Code code as follows:

if (!GET_MAGIC_QUOTES_GPC ()) {//If the Magic quotes are not open

Function _addslashes (& $v, $k) {
$v = Addslashes ($v);
}
Array_walk_recursive (&$_get, ' _addslashes ');
Array_walk_recursive (&$_post, ' _addslashes ');
Array_walk_recursive (&$_cookie, ' _addslashes ');
}