SQL injection is always pervasive (ps: & #039; or11 #). How can I filter SQL statements securely (php and mysql_connect )? SQL injection is always pervasive (ps: 'or 1 = 1 #). How can I filter it out securely (My php and mysql_connect )?
Reply content:
SQL injection is always pervasive (ps: 'or 1 = 1 #). How can I filter it out securely (My php and mysql_connect )?
Availablemysql_real_escape_string()
Escape the string and then put it into SQL.
$ Name = mysql_real_escape_string ($ _ POST ['name']); mysql_query ('select * FROM 'users' WHERE 'name' = "'. $ name. '"'); // domestic version. Protects against SQL injection. Both function escape ($ str) {$ str = mysql_real_escape_string ($ str); $ str = str_replace (['_', '%'], ['\ _', '\ %'], $ str); return $ str ;}
Here is the official introduction: http://www.php.net/manual/zh/function.mysql-real-escape-string.php
I personally suggest using a WEB framework. Common WEB frameworks have a sound anti-injection mechanism.
For example:
Simple and Quick Start: CodeIgniter
More comprehensive functions: Yii (this official website is sometimes walled)
select * from users where name = @name
Parameter Query (Parameterized Query or Parameterized Statement) is a Parameter that is used to provide a value when a database is accessed, where a value or data needs to be filled in.
When parametric query is used, the database server does not regard the parameter content as a part of the SQL command for processing. Instead, parameters are applied to run only after the database completes the compilation of the SQL command, therefore, even if the parameter contains commands, it will not be run by the database. Common databases such as Access, SQL Server, MySQL, and SQLite support parameterized query.