Using php5.3 or above we can use PDO and mysqli to process data directly
1. Use PDO (PHP Data Objects)
The code is as follows |
Copy Code |
$stmt = $pdo->prepare (' SELECT * FROM employees WHERE name =: Name '); $stmt->execute (Array (': Name ' => $name)); foreach ($stmt as $row) { Do something with $row } |
2. Use of mysqli
The code is as follows |
Copy Code |
$stmt = $dbConnection->prepare (' SELECT * FROM employees WHERE name =? '); $stmt->bind_param (' s ', $name); $stmt->execute (); $result = $stmt->get_result (); while ($row = $result->fetch_assoc ()) { Do something with $row } |
3. If it is php5.3 the following version we can use Addslashes and mysql_real_escape_string these functions to handle
The code is as follows |
Copy Code |
function Get_str ($string) { if (!GET_MAGIC_QUOTES_GPC ()) { Return addslashes ($string); } return $string; } |
Many of the country's PHP coder are still relying on addslashes to prevent SQL injection (including me), I suggest you strengthen the Chinese to prevent SQL injection check. The problem with addslashes is that you can use 0XBF27 instead of single quotes, and addslashes only modifies 0xbf27 to 0xbf5c27 as a valid multi-byte character, where the 0xbf5c is still considered single quotes, So addslashes cannot successfully intercept.
Of course, addslashes is also not useless, it is used for single-byte string processing, multibyte characters or use mysql_real_escape_string bar.
It is better to check the $_post[' LastName ' If the MAGIC_QUOTES_GPC is already open.
Again, the difference between the 2 functions of mysql_real_escape_string and mysql_escape_string:
Mysql_real_escape_string must be available in the case of (PHP 4 >= 4.3.0, PHP 5). Otherwise you can only use mysql_escape_string, the difference is:
Mysql_real_escape_string takes into account the current character set of the connection, and Mysql_escape_string does not consider it.
If it is a character type, use Addslashes () to filter, and then filter "%" and "_" such as:
The code is as follows |
Copy Code |
$search =addslashes ($search); $search =str_replace ("_", "\_", $search); $search =str_replace ("%", "\%", $search);
|
Of course, you can add PHP generic anti-injection code:
The code is as follows |
Copy Code |
/************************* PHP Universal Anti-injection security code Description Determines whether the passed variable contains illegal characters such as $_post, $_get Function: Anti-injection **************************/ Illegal characters to filter $ArrFiltrate =array ("'", ";", "union"); The URL to jump after an error is not filled in the default previous page $STRGOURL = ""; Whether the value in the array exists function Funstringexist ($StrFiltrate, $ArrFiltrate) { foreach ($ArrFiltrate as $key => $value) { if (eregi ($value, $StrFiltrate)) { return true; } } return false; } Merging $_post and $_get if (function_exists (Array_merge)) { $ArrPostAndGet =array_merge ($HTTP _post_vars, $HTTP _get_vars); }else{ foreach ($HTTP _post_vars as $key => $value) { $ArrPostAndGet []= $value; } foreach ($HTTP _get_vars as $key => $value) { $ArrPostAndGet []= $value; } } Verify Start foreach ($ArrPostAndGet as $key => $value) { if (Funstringexist ($value, $ArrFiltrate)) { echo "Alert (/" NEEAO hint, illegal character/"); if (empty ($STRGOURL)) { echo "History.go (-1);"; }else{ echo "window.location=/" ". $StrGoUrl." /”;”; } Exit } } ?> /************************* |
Save As Checkpostandget.php
Then add include ("checkpostandget.php") in front of each PHP file;
To sum up:
Addslashes () is forcibly added;
Mysql_real_escape_string () will judge the character set, but the PHP version is required;
Mysql_escape_string does not consider the current character set of the connection.