SQL injection Vulnerability solution in MySQL and PHP

SQL injection vulnerabilities are a major security hazard for many PHP programs, resulting from the fact that Web developers allow the end user to manipulate variables (such as displaying information based on the form submission) when executing statements to the database, typically global variables such as _get, _post, or _session.

Let's look at the following code:

The following is a reference to the content: Php query = "Select News_title, News_text"; Query. = "from News"; Query. = "Where news_id=". _get[' id ']; mysql_query (query); ?>

It would be a serious mistake to think that the _get[' ID ' would always be a numeric value. The end user can change the value of this variable, for example, "0; Delete from news;, the query statement becomes the following value:

Select News_title, News_text from news Where news_id=0; Delete from News;

This will have very serious consequences.

Validating numeric data

Numeric data is the easiest to verify, PHP has a self-contained function called is_numeric () can return ture value to determine whether it is a numeric type, this function is not MySQL, so you can use in any database platform PHP program to use in validating numbers.

Here is the modified code:

The following is a reference to the content: Php if (!is_numeric (_get[' id ')) { ID ' s not numeric? Kill the script before the query can run Die ("The ID must be numeric!"); } query = "Select News_title, News_text"; Query. = "from News"; Query. = "Where news_id=". _get[' id ']; mysql_query (query); ?>

Validating non-numeric data

Validation of non-numeric data slightly troublesome. PHP has a special function called Magic quotes. When it activates, PHP automatically filters out the backslash (\), double quotes ("), single quotes ('), and white-space characters in the _get and _post global variables. The problem is that not all servers can turn on this feature, so it's important to check if the server is open. You can use the GET_MAGIC_QUOTES_GPC () function to determine whether the MAIGC quotes feature is turned on.
In the MySQL query statement you can use the mysql_real_escape_string () function to enhance security, the code is as follows:

The following is a reference to the content: Php Fix a _post variable called FirstName for MySQL FirstName = _post[' firstName ']; if (GET_MAGIC_QUOTES_GPC ()) { If Magic Quotes is Enabled-turn the string back into a unsafe string FirstName = Stripslashes (firstName); } Now convert the unsafe string into a MySQL safe string Firstname= mysql_real_escape_string (firstName); FirstName should now is safe to insert into a query ?>

Output to Page

To correctly display quotes and backslashes in characters, use the stripslashes () function

The following is a reference to the content: Php FirstName = _post[' firstName ']; if (GET_MAGIC_QUOTES_GPC ()) { If Magic Quotes is Enabled-turn the string back into a unsafe string FirstName = Stripslashes (firstName); } Now convert the unsafe string into a MySQL safe string FirstName = mysql_real_escape_string (firstName); Safe Query mysql_query (Insert into Names VALUES ('). FirstName. "')"); Page output should look proper echo "Hello". Htmlentities (Stripslashes (firstName)); ?>

Final integration

Finally you can create a simple function to solve in PHP if the MySQL query characters securely. It is important to note that if you want to output to a Web page, you also need to use stripslashes.

The

PHP Function Verifyinput (input, Forceint = False) { if (is_numeric (input) { return input; } ElseIf (!forceint) { if (GET_MAGIC_QUOTES_GPC ()) { //If magic quotes is enabled, get rid of tho SE //Pesky slashes input = stripslashes (input); } //Convert the input variable into a MySQL safe string. input = mysql_real_escape_string (input); return input; } Else { //If input not an integer and Forceint = True, //Kill Script Die ("Invalid input"); } ///_post[' name '] should be a string //_post[' ID '] should is a integer, if not the script dies ID = _post[' id ']; name = _post[' name ']; Query = "Update users SET name=". Verifyinput (name). " "; Query. = "Where id=". Verifyinput (ID, true); //query should be safe to run mysql_query (query); ?>