: This article mainly introduces the most comprehensive method to prevent SQL injection. if you are interested in the PHP Tutorial, please refer to it. (1) mysql_real_escape_string -- escape special characters in strings used in SQL statements and take into account the connected current character set
The usage is as follows:
?
1 2 3 |
$sql = "select count (*) as ctr from users where username
= '".mysql_real_escape_string($username)."' and
password= '". mysql_real_escape_string($pw)."' limit 1";
|
Use
Mysql_real_escape_string ()
As a package for user input, it can avoid any malicious SQL injection in user input.
(2) enable magic_quotes_gpc to prevent SQL injection.
One setting in php. ini is magic_quotes_gpc = Off.
This is disabled by default. if it is enabled, it will automatically convert the SQL query submitted by the user,
For example, converting 'to \' has a major role in preventing SQL injection.
If magic_quotes_gpc = Off, use the addslashes () function
(3) user-defined functions
?
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 |
function inject_check( $sql_str ) {
return eregi ( 'select|insert|and|or|update|delete|\'|\/\*|\*|\.\.\/|\.\/|union|into|load_file|outfile' , $sql_str );
}
function verify_id( $id =null) {
if (! $id ) {
exit ( 'No submission parameter! ' );
} elseif (inject_check( $id )) {
exit ( 'The submitted parameter is invalid! ' );
} elseif (! is_numeric ( $id )) {
exit ( 'The submitted parameter is invalid! ' );
}
$id = intval ( $id );
return $id ;
}
function str_check( $str ) {
if (!get_magic_quotes_gpc()) {
$str = addslashes ( $str ); // Filter
}
$str = str_replace ( "_" , "\_" , $str );
$str = str_replace ( "%" , "\%" , $str );
return $str ;
}
function post_check( $post ) {
if (!get_magic_quotes_gpc()) {
$post = addslashes ( $post );
}
$post = str_replace ( "_" , "\_" , $post );
$post = str_replace ( "%" , "\%" , $post );
$post = nl2br ( $post );
$post = htmlspecialchars( $post );
return $post ;
}
|
The above describes the most comprehensive method to prevent SQL injection, including some content, and hope to be helpful to friends who are interested in PHP tutorials.