How is SQL injection protected?

1. Last night was more than 11, a friend suddenly asked me to say that their company's website vulnerability was submitted to Wooyun. (and then she probably learned about the vulnerability. PS: Sister is a PHP programmer)

2. Two vulnerabilities were submitted on Wooyun, 1 are SQL injection (after understanding, their company's framework is the 11 old framework, or mysql_query() these old MySQL functions) Another place is the problem of cookies, sister put the user's UID, And so sensitive information is written into a cookie, 2333. Then the UID of the PHP processing business logic is also taken from the cookie, 233333 (which can be disguised as any user after modifying the cookie)

3. I told her. SQL injection solution (the first symptom is not a cure, use regular matching SQL statements, filter for dangerous characters, keywords, escape symbols, second scenario, discard MySQL old function, with PDO or mysqli) (the loophole in the cookie place, I suggest that she put sensitive information such as UID inside the session and then encrypt the SessionID and put it in the cookie.

4. She finally said, she probably understood. Change the company framework MySQL driver is not very realistic, the company will not let her change, then we have to use regular matching SQL statement, filter illegal string!

5. I went to the internet to find some SQL statement filtering functions called SQL filter functions that are very useful
   The answers from the ladies

Would like to discuss with you the SQL injection guard posture There is no better use of SQL injection filter SQL statement functions, share, thank you!

Reply content:

1. Last night was more than 11, a friend suddenly asked me to say that their company's website vulnerability was submitted to Wooyun. (and then she probably learned about the vulnerability. PS: Sister is a PHP programmer)

2. Two vulnerabilities were submitted on Wooyun, 1 are SQL injection (after understanding, their company's framework is the 11 old framework, or mysql_query() these old MySQL functions) Another place is the problem of cookies, sister put the user's UID, And so sensitive information is written into a cookie, 2333. Then the UID of the PHP processing business logic is also taken from the cookie, 233333 (which can be disguised as any user after modifying the cookie)

3. I told her. SQL injection solution (the first symptom is not a cure, use regular matching SQL statements, filter for dangerous characters, keywords, escape symbols, second scenario, discard MySQL old function, with PDO or mysqli) (the loophole in the cookie place, I suggest that she put sensitive information such as UID inside the session and then encrypt the SessionID and put it in the cookie.

4. She finally said, she probably understood. Change the company framework MySQL driver is not very realistic, the company will not let her change, then we have to use regular matching SQL statement, filter illegal string!

5. I went to the internet to find some SQL statement filtering functions called SQL filter functions that are very useful
   The answers from the ladies

Would like to discuss with you the SQL injection guard posture There is no better use of SQL injection filter SQL statement functions, share, thank you!

Why not pre-treatment???????????
Why not pre-treatment???????????
Why not pre-treatment???????????
Important thing to say three times!
SQL injection has been a thing of the past century!
If you don't want to rewrite it, you can use the ready-made PHP classes in my simple package, select one to use.
(I found that the code had some traces of my project, so I deleted the irrelevant code)
Version mysqli:

  sql = $SQL;        $this->fetch = $Fetch;        $this->param = $Param; The database information is stored in the configuration file, please modify it to the correct path and value require ($_server[' document_root ').        '/configs/config.inc.php ');        $this->dbhost = & $DBHost;        $this->dbuser = & $DBUser;        $this-&GT;DBPW = & $DBPassword;    $this->dbname = & $DBName; Public Function Query () {$Mysqli = new mysqli ($this->dbhost, $this->dbuser, $this-&GT;DBPW, $thi        S->dbname);            if ($Mysqli->connect_errno) {echo ' Cannot connect to database ';        return false;        } $Mysqli->query (' SET NAMES UTF8 ');        $Mysqli->begin_transaction (mysqli_trans_start_read_only);        $Stmt = $Mysqli->stmt_init ();        $Stmt->prepare ($this->sql);            if (count ($this->param) > 0) {$Type = ';       for ($i = 0; $i < count ($this->param); $i + +) {if (is_double ($this->param[$i))         {$Type. = ' d ';                } else if (Is_int ($this->param[$i])) {$Type. = ' I ';                } else if (is_string ($this->param[$i])) {$Type. = ' s ';                } else {$Type. = ' B ';            }} $REFARG = Array ($Type);            for ($I = 0; $I < count ($this->param), $I + +) {$RefArg [] = & $this->param[$I];        } call_user_func_array (Array ($Stmt, ' Bind_param '), $REFARG);            } if (! $Stmt->execute ()) {echo ' Error reading database: '. $Stmt->error;            Echo $this->sql;            Print_r ($this->param);                        $Mysqli->rollback ();        return false;        } $Mysqli->commit (); if (Strtolower (substr ($this->sql, 0, 6)) = = = ' Select ') {            $this->res = $Stmt->get_result ();            $Stmt->free_result ();        return $this->getres ();            } else {$Stmt->free_result ();        return true;                }} Public Function getres () {switch (Strtolower ($this->fetch)) {case ' all ':                $row = $this->res->fetch_all ();            Break                Case ' array ': $row = $this->res->fetch_array ();            Break                Case ' Assoc ': $row = $this->res->fetch_assoc ();            Break                Case ' field ': $row = $this->res->fetch_field ();            Break                Case ' Row ': $row = $this->res->fetch_row ();            Break                Default:echo ' Please select a row return mode. ';        Exit    } return $row; } public Function Numrow () {if (Isset ($this->res)) {return $this->res->num_rows;        } else {return false; }}}?>

Version Pdo_mysql:

  Dbhost = & $DBHost;        $this->dbuser = & $DBUser;        $this-&GT;DBPW = & $DBPassword;        $this->dbname = & $DBName;        $this->sql = $SQL;        $this->fetch = $Fetch;    $this->param = $Param; Public Function Query () {try {$Pdo = new Pdo (' mysql:host= '. $this->dbhost. ';d bname= '.            $this->dbname, $this->dbuser, $this-&GT;DBPW);            $Pdo->query (' SET NAMES UTF8 ');            $Pdo->begintransaction ();            $Stmt = $Pdo->prepare ($this->sql);                if (count ($this->param) > 0) {for ($I = 0; $I < count ($this->param); $I + +)                {$Stmt->bindparam ($I + 1, $this->param[$I]); }} if (! $Stmt->execute ()) {echo ' has an error reading the database: '. $Stmt->errorinfo ()                [2];                $Pdo->rollback ();            return false; }           $Pdo->commit ();                 if (Strtolower (substr ($this->sql, 0, 6)) = = ' Select ' | | strtolower (substr ($this->sql, 0, 4)) = = ' desc ') {                $this->res = $Stmt;            return $this->getres ();            } else {return true;            }} catch (Pdoexception $e) {echo ' Cannot connect to database ';            $Pdo->rollback ();        return false;                }} Public Function getres () {switch (Strtolower ($this->fetch)) {case ' all ':                $Row = $this->res->fetchall (PDO::FETCH_ASSOC);            Break                Case ' array ': $Row = $this->res->fetch (pdo::fetch_both);            Break                Case ' Assoc ': Case ' field ': $Row = $this->res->fetch (PDO::FETCH_ASSOC);            Break Case ' Row ': $Row = $this->res->fetch (pdo::feTch_num);            Break                Default:echo ' Please select a row return mode. ';        Exit    } return $Row; Public Function Numrow () {if (Isset ($this->res)) {return $this->res->num_r        oWS        } else {return false; }}}?>

How to use:

$DB = new DB(SQL语句, 结果集方式, array(要绑定的参数);$DB->Query();

Attention!!! SQL statement with? Instead of the parameters to query!!! SQL injection vulnerability is because SQL statements are spliced with variables!!!
PS: If you can't change the frame, then wash and sleep, time will only eliminate the stereotypical people and outdated technology.
Don't expect the regular filter SQL statement to completely eliminate SQL injection, PHP7 the reason for abandoning the MySQL extension is because this extension has a security vulnerability!

have already written a similar summary is not copied, commonly used web security precautions have (slightly omitted to continue to supplement), can refer to: PHP Security Code

A simple understanding is that PDO can be pre-treated with PDO, not using PDO on top of addslashes.

PHP system functions have this addslashes () can try

If you do not use regular filtering, you can consider escaping.

In fact, the essence of the defense of SQL injection is to the GPC foreign variables to carry out sensitive characters related to escape, or intercept. The GPC can be pre-processed in the framework portal file or in the routing resolution class and used for the subsequent business, which is relatively easy to implement and move to achieve. As for the cookie, change the big one, use some encryption to verify the cookie, the encryption key can be placed in the session.

Well, the posture of this thing should be like this:

1. Outside to add some security services, such as speed music (we use speed music, response generally 100 milliseconds, occasional fluctuations, security is just the basis of it, some post some XSS can not intercept)

2. Server-installed Web application firewall software

3. Evaluation time, slowly migrating to PDO, queries are bound with parameters (I personally think not to change, but need time to arrange this)

Since the php>=5.5 has been abolished mysql_* , the framework should be reconstructed for compatibility reasons.

Try Www.oneasp.com.

