Php anti-SQL injection

Php protects against SQL injection. in SQL injection attacks, you can manipulate the form or GET query string to add the information to the database query. For example, assume there is a simple login database. Each record in this database has a username field and a password field. Create a logon form to allow users to log on.

Listing 5. simple logon form

Login

This form accepts the user name and password entered by the user, and submits the user input to the file verify. php. In this file, PHP processes data from the login form, as shown below:

Listing 6. insecure PHP form processing code

$ Okay = 0; $ Username = $ _ POST ['user']; $ Pw = $ _ POST ['pw ']; $ SQL = "select count (*) as ctr from users where Username = '". $ username."' and password = '". $ pw." 'limit 1 "; $ Result = mysql_query ($ SQL ); While ($ data = mysql_fetch_object ($ result )){ If ($ data-> ctr = 1 ){ // They're okay to enter the application! $ Okay = 1; } } If ($ okay ){ $ _ SESSION ['loginokay'] = true; Header ("index. php "); } Else { Header ("login. php "); } ?>

This code looks okay, right? Hundreds or even thousands of PHP/MySQL sites across the world are using this code. Where is the error? Well, remember "user input cannot be trusted ". No information from the user is escaped, so the application is vulnerable to attacks. Specifically, any type of SQL injection attacks may occur.

For example, if you enter foo as the user name and 'or '1' = '1 as the password, the following string is actually passed to PHP and then the query is passed to MySQL:

$sql = "select count(*) as ctr from users where username='foo' and password='' or '1'='1' limit 1";

This query always returns a count value of 1, so PHP will allow access. By injecting some malicious SQL statements at the end of the password string, hackers can dress up as legitimate users.

To solve this problem, use the built-in mysql_real_escape_string () function of PHP as the package for any user input. This function is used to escape characters in a string, making it impossible for the string to pass special characters such as an apostrophes and allow MySQL to perform operations based on special characters. Listing 7 shows the code with escape processing.

Listing 7. safe PHP form processing code

$ Okay = 0; $ Username = $ _ POST ['user']; $ Pw = $ _ POST ['pw ']; $ SQL = "select count (*) as ctr from users where Username = '". mysql_real_escape_string ($ username )."' And password = '". mysql_real_escape_string ($ pw)." 'limit 1 "; $ Result = mysql_query ($ SQL ); While ($ data = mysql_fetch_object ($ result )){ If ($ data-> ctr = 1 ){ // They're okay to enter the application! $ Okay = 1; } } If ($ okay ){ $ _ SESSION ['loginokay'] = true; Header ("index. php "); } Else { Header ("login. php "); } ?>

Using mysql_real_escape_string () as the package for user input can avoid any malicious SQL injection in user input. If you try to pass a malformed password through SQL injection, the following query will be passed to the database:

select count(*) as ctr from users where \username='foo' and password='\' or \'1\'=\'1' limit 1"

There is nothing in the database that matches this password. Simply taking a simple step blocks a major vulnerability in a Web application. The experience here is that user input for SQL queries should always be escaped.

For your security, please only open the URL with reliable source

From: http://hi.baidu.com/luzheng22/blog/item/af49aca48ea018f19052eeea.html