Home > Tutorials > PHP Tutorials

How does a PHP Web site prevent SQL injection?

Source: Internet
Author: User
Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more >
The operation of the site is sure that every webmaster must consider the issue, you know, most hackers attack the site is the use of SQL injection, this is what we often say why?

The most original static website is the safest. Today we talk about PHP injection security specifications to prevent your site from being injected into SQL.

Now that the mainstream web development language is PHP, let's start with how the PHP Web site prevents SQL injection:

PHP injection security Through the above process, we can understand the principles and methods of PHP injection, of course, we can also work out the corresponding prevention method:
The first is the security settings for the server, which is primarily Php+mysql security settings and Linux Host Security settings. For Php+mysql injection prevention, first set MAGIC_QUOTES_GPC to On,display_errs set to OFF, if ID type, we use Intval () to convert it to an integer type, such as code:



$idintval ($id);
Mysql_query "*fromexamplewherearticieid ' $id '"; or write this: mysql_query ("Select*fromarticlewherearticleid". Intval ($id). "")
If it is a character type, filter it with addslashes () and then filter "%" and "_" such as:
$searchaddslashes ($search);
$searchstr _replace ("_", "\_", $search);
$searchstr _replace ("%", "\%", $search);
Of course, you can also add PHP Universal anti-injection code:
/*************************
PHP Universal Anti-inject security code
Description
Determine if the passed variable contains illegal characters
such as $_post, $_get
Function:
Anti-injection
  2. **************************/
  4. Illegal characters to filter on
  6. $ArrFiltratearray ("'", ";", "union");
  8. The URL to jump after the error, without filling the default previous page
  10. $StrGoUrl "";
  12. Whether the values in the array exist
  14. Functionfunstringexist ($StrFiltrate, $ArrFiltrate) {
  16. Feach ($ArrFiltrateas $key> $value) {
  18. if (eregi ($value, $StrFiltrate)) {
  20. Returntrue;
  22. }
  24. }
  26. Returnfalse;
  28. }
  30. Merging $_post and $_get
  32. if (function_exists (Array_merge)) {
  34. $ArrPostAndGetarray _merge ($HTTP _post_vars, $HTTP _get_vars);
  36. }else{
  38. Feach ($HTTP _post_varsas$key> $value) {
  40. $ArrPostAndGet [] $value;
  42. }
  44. Feach ($HTTP _get_varsas$key> $value) {
  46. $ArrPostAndGet [] $value;
  48. }
  50. }
  52. Validation begins
  54. Feach ($ArrPostAndGetas $key> $value) {
  56. if (Funstringexist ($value, $ArrFiltrate)) {
  58. echo "Alert (/" NEEAO hint, illegal character/");";
  60. if (empty ($STRGOURL)) {
  62. echo "Histy.go (-1);";
  64. }else{
  66. echo "window.location/" ". $StrGoUrl." /”;”;
  68. }
  70. Exit
  72. }
  74. }
  76. ?>
  78. /*************************
Copy CodeSave As Checkpostget.php
Then add an include ("checkpostget.php") to each PHP file;
**************************/
In addition, the Administrator user name and password are taken MD5 encryption, so as to effectively prevent the injection of PHP.
There are also servers and MySQL to strengthen some security precautions.
Security settings for Linux servers:
Encrypt the password and use the/usr/sbin/authconfig tool to turn on the shadow function of the passcode and encrypt the passwd.
Disable access to important files, enter the Linux command interface, and enter at the prompt:
#chmod600/etc/inetd.conf//Change the file property to 600
#chattr +i/etc/inetd.conf//Guarantee file owner is root
#chattr –i/etc/inetd.conf//restrictions on changes to this file
Prevents any user from changing to the root user through the SU command
Add the following two lines at the beginning of the SU configuration file, which is the/etc/pam.d/directory:
Auth Sufficient/lib/security/pam_rootok.sodebug
Auth Required/lib/security/pam_whell.sogroupwheel
Delete all special accounts
#userdel LP and so on delete user
#groupdellp等等删除组
Prohibit Suid/sgid programs that are not used
#find/-typef\ (-perm-04000-o–perm-02000\) \-execls–lg{}\;



Http://hi.baidu.com/bigideaer/bl ... 7e76e11a4cffd0.html

Determine if the passed variable contains illegal characters we put the following code in a common file, For example, in the security.inc.php, each file contains the file, then you can give any one of the program to submit all the variables to filter, to achieve our effect once and for all.



Description:/*************************
Description
Determine if the passed variable contains illegal characters
such as $_post, $_get
Function: Anti-injection
**************************/

The code is as follows:

  6. Illegal characters to filter on
  8. $ArrFiltratearray ("", ";", "union");
  10. The URL to jump after the error, without filling the default previous page
  12. $StrGoUrl "";
  14. Whether the values in the array exist
  16. Functionfunstringexist ($StrFiltrate, $ArrFiltrate) {
  18. Feach ($ArrFiltrateas $key> $value) {
  20. if (eregi ($value, $StrFiltrate)) {
  22. Returntrue;
  24. }
  26. }
  28. Returnfalse;
  30. }

  34. Merging $_post and $_get
  36. if (function_exists (Array_merge)) {
  38. $ArrPostAndGetarray _merge ($HTTP _post_vars, $HTTP _get_vars);
  40. }else{
  42. Feach ($HTTP _post_varsas$key> $value) {
  44. $ArrPostAndGet [] $value;
  46. }
  48. Feach ($HTTP _get_varsas$key> $value) {
  50. $ArrPostAndGet [] $value;
  52. }
  54. }

  58. Validation begins
  60. Feach ($ArrPostAndGetas $key> $value) {
  62. if (Funstringexist ($value, $ArrFiltrate)) {
  64. echo "";
  66. if (Emptyempty ($STRGOURL)) {
  68. echo "";
  70. }else{
  72. echo "";
  74. }
  76. Exit
  78. }
  80. }
  82. ?>

Copy CodeSave As Checkpostget.php
Then add an include ("checkpostget.php") to each PHP file;

Method 2


The code is as follows:
  2. /* Filter all get over variables */
  4. Feach ($_getas$get_key> $get _var)
  6. {
  8. if (Is_numeric ($get _var)) {
  10. $get [Strtolower ($get _key)]get_int ($get _var);
  12. }else{
  14. $get [Strtolower ($get _key)]get_str ($get _var);
  16. }
  18. }

  22. /* Filter all post-over variables */
  24. Feach ($_postas$post_key> $post _var)
  26. {
  28. if (Is_numeric ($post _var)) {
  30. $post [Strtolower ($post _key)]get_int ($post _var);
  32. }else{
  34. $post [Strtolower ($post _key)]get_str ($post _var);
  36. }
  38. }

  42. /* Filter Function */
  44. Integer Filter function
  46. Functionget_int ($number)
  48. {
  50. Returnintval ($number);
  52. }
  54. string-Type Filter function
  56. Functionget_str ($string)
  58. {
  60. if (!GET_MAGIC_QUOTES_GPC ()) {
  62. Returnaddslashes ($string);
  64. }
  66. return$string;
  68. }
Copy CodeThe first is the way to escape the data

The second method, written in a separate file, is introduced into each PHP file.

Can be implemented to escape each data processing

Functionsaddslashes ($string) {

if (Is_array ($string)) {

Feach ($stringas $key> $val) {

$string [$key]saddslashes ($val);

}

}else{

$stringaddslashes ($string);

}

return$string;

}





#################################################################

$magic _QUOTEGET_MAGIC_QUOTES_GPC ();

if (Empty ($magic _quote)) {

$_getsaddslashes ($_get);

$_postsaddslashes ($_post);

}
This topic was released by Beckham on 2015-9-20 13:05

    • This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

    Contact Us

    The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

    If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

    What's Trending
    Top 10 Tags
    datastax versions naming convention zookeeper client class definition md5 microsoft sql server 2005 data structures exception handling error handling
    Top 10 Keywords
    microsoft download center down wordpress address url site address url wordpress address url windows installer 4 0 download 302 not found web address url definition site address url wordpress db2 integer mac os installation step by step pdf abbreviation for return

    A Free Trial That Lets You Build Big!

    Start building with 50+ products and up to 12 months usage for Elastic Compute Service

    Get Started for Free

    • Sales Support

      1 on 1 presale consultation

      Chat Contact Sales

    • After-Sales Support

      24/7 Technical Support 6 Free Tickets per Quarter Faster Response

      Open a Ticket

    • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

      Learn More