How to prevent SQL injection during PHP login _ PHP Tutorial

Prevents SQL injection during PHP logon. PHP login to prevent SQL injection method analysis to prevent SQL injection these details are generally caused by careless programmers or novice programmers, they did not analyze SQL injection prevention methods in PHP login for the data submitted by users

To prevent SQL injection, these details are generally caused by careless programmers or novice programmers, they did not perform some filtering on the data submitted by the user, so they broke your database after testing, next, let's take a look at a simple SQL injection method that may occur when the user does not perform security configuration during logon.

For example, the following logon code:

The code is as follows:
If ($ l = @ mysql_connect ('localhost', 'root', '123') or die ('database connection failed '); Mysql_select_db ('test '); Mysql_set_charset ('utf8 '); $ SQL = 'select * from test where username = "$ username" and password = "$ password "'; $ Res = mysql_query ($ SQL ); If (mysql_num_rows ($ res )){ Header ('Location:./home. php '); } Else { Die ('incorrect input '); }

Note that the preceding SQL statement has a great security risk. if you use the following universal password and universal user name, you can easily access the page:

The code is as follows:
1. $ SQL = 'select * from test where username = "***" and password = "***" or 1 = "1 "';

Obviously, the universal password for this SQL statement is: *** "or 1 =" 1

The code is as follows:
2. $ SQL = 'select * from test where username = "***" union select * from users/* and password = "***"';

The forward slash * indicates that the subsequent query is not executed. mysql supports union joint query, so all data is directly queried. Therefore, the universal user name for this SQL statement is: * ** "union select * from users /*

However, this injection only applies to SQL statements in the code. if

The code is as follows:
$ SQL = "select * from test where username = $ username and password = $ password ";

The above injection should at least be useless, but the method is the same;

After using PDO, SQL injection can be completely avoided. in this era of rapid development, the framework is rampant and you do not need to worry too much about SQL injection.

Below are two functions to prevent SQL registration

The code is as follows:

/* Filter all GET variables */ Foreach ($ _ GET as $ get_key => $ get_var) { If (is_numeric ($ get_var )){ $ Get [strtolower ($ get_key)] = get_int ($ get_var ); } Else { $ Get [strtolower ($ get_key)] = get_str ($ get_var ); } } /* Filter all POST variables */ Foreach ($ _ POST as $ post_key => $ post_var) { If (is_numeric ($ post_var )){ $ Post [strtolower ($ post_key)] = get_int ($ post_var ); } Else { $ Post [strtolower ($ post_key)] = get_str ($ post_var ); } } /* Filter function */ // Integer filter function Function get_int ($ number) { Return intval ($ number ); } // String filter function Function get_str ($ string) { If (! Get_magic_quotes_gpc ()){ Return addslashes ($ string ); } Return $ string; }

Some other blogs will write like this.

The code is as follows:

Function post_check ($ post) { If (! Get_magic_quotes_gpc () // You can check whether magic_quotes_gpc is enabled. { $ Post = addslashes ($ post); // filter submitted data when magic_quotes_gpc is not enabled } $ Post = str_replace ("_", "\ _", $ post); // filter '_' $ Post = str_replace ("%", "\ %", $ post); // filter '%' $ Post = nl2br ($ post); // press enter to convert $ Post = htmlspecialchars ($ post); // html tag conversion Return $ post; } ?>

Explain prevents SQL injection. these details are generally caused by careless programmers or novice programmers who have not submitted data from users...