How do I prevent SQL injection?

SQL Injection is the result of inserting a SQL command into a Web form to submit or entering a query string for a domain name or page request, eventually reaching a malicious SQL command that deceives the server. For many sites that have user-submitted forms on the port, the submitted data into the MySQL database, there is a possibility of SQL Injection security issues, then, how to prevent SQL injection?

For the prevention of SQL injection security, it is necessary to always identify the user input data is not safe, and the user input data filtering processing, the conditions of the different fields to limit, eligible to write to the database, do not meet the criteria for data filtering processing!

prevent SQL injection, the following points need to be noted:

1. never trust the user's input. The user's input can be verified by regular expressions, or by limiting the length, by converting the single quotation mark and the double "-" .

2. never use dynamically assembled SQL, either using parameterized SQL or directly using stored procedures for data query access.

3. never use a database connection with administrator rights, and use a separate limited database connection for each app.

4. do not store confidential information directly, encrypt or hash out passwords and sensitive information.

5. Applied exception information should give as few hints as possible, preferably using a custom error message to wrap the original error message

6. SQL Injection detection method generally adopts auxiliary software or Web site platform to detect, software generally use SQL Injection Detection Tool Jsky, website platform has billion think website security platform detection tools. Mdcsoft SCAN and so on. The use of mdcsoft-ips can effectively protect against SQL injection,XSS attacks and so on.

prevent SQL injected escape Special input characters

In the scripting language, functions that provide the ability to escape data entered by the user, such as PHP 's MySQL extension, provide mysqli_real_escape_string () function to escape special input characters to prevent SQL injection.

if (GET_MAGIC_QUOTES_GPC ())

{

$name = Stripslashes ($name);

}

$name = mysqli_real_escape_string ($conn, $name);

Mysqli_query ($conn, "select * from Userswhere name= ' {$name} '");

The above is to prevent SQL injection of common ideas and methods, specific practices also need to be based on practical problems to set, interested in in-depth study!

How do I prevent SQL injection?