This article mainly introduces the PHP method to prevent injection attacks. The example analyzes the related string functions and special character processing. For more information, see
This article analyzes in detail how PHP can prevent injection attacks in the form of examples. Share it with you for your reference. The specific analysis is as follows:
PHP addslashes () function -- escape with single apostrophes and diagonal lines
PHP String Function
Definition and usage
The addslashes () function adds a backslash before the specified predefined character.
The predefined characters are:
Single quotes (')
Double quotation marks (")
Backslash (\)
NULL
Syntax:
Addslashes (string)
Parameter description
String is required. Specifies the string to be checked.
Tips and comments
Tip: this function can be used to prepare suitable strings for strings stored in the database and database query statements.
Note: by default, the magic_quotes_gpc command of PHP is on, and addslashes () is automatically run for all GET, POST, and COOKIE data (). Do not use addslashes () for strings that have been escaped by magic_quotes_gpc, because this causes double-layer escape. In this case, you can use the get_magic_quotes_gpc () function for detection.
Example
In this example, we want to add a backslash to the predefined characters in the string:
The Code is as follows:
<? Php
$ Str = "Who's John Adams? ";
Echo $ str. "This is not safe in a database query.
";
Echo addslashes ($ str). "This is safe in a database query .";
?>
Get_magic_quotes_gpc Function
The Code is as follows:
Function html ($ str)
{
$ Str = get_magic_quotes_gpc ()? $ Str: addslashes ($ str );
Return $ str;
}
Get_magic_quotes_gpc:
Obtain the value of magic_quotes_gpc in the PHP environment variable.
Syntax: long get_magic_quotes_gpc (void );
Return Value: Long Integer
Function Type: PHP System Function
Description:
This function obtains the magic_quotes_gpc (GPC, Get/Post/Cookie) value set in the PHP environment. If the return value is 0, this function is disabled. If the return value is 1, this function is enabled. When magic_quotes_gpc is enabled, all '(single quotation marks),' (double quotation marks), \ (backslash) and null characters are automatically converted to overflow characters containing the backslash.
Addslashes -- use a backslash to reference a string
Description:
String addslashes (string str)
Returns a string that requires a backslash before certain characters for database query statements. These characters are single quotation marks ('), double quotation marks ("), backslash (\), and NUL (NULL ).
An example of using addslashes () is when you want to input data into the database. For example, insert the name 'Reilly into the database, which requires escaping. Most databases use \ as the Escape Character: O \ 'Reilly. In this way, the data can be put into the database without inserting additional \. When the PHP Command magic_quotes_sybase is set to on, it means that when 'is inserted,' is used for escape.
By default, the PHP Command magic_quotes_gpc is on, which automatically runs addslashes () on all GET, POST, and COOKIE data (). Do not use addslashes () for strings that have been escaped by magic_quotes_gpc, because this causes double-layer escape. In this case, you can use the get_magic_quotes_gpc () function for detection.
Example 1. addslashes () Example
The Code is as follows:
$ Str = "Is your name O 'Reilly? ";
// Output: Is your name O \ 'Reilly?
Echo addslashes ($ str );
?>
Get_magic_quotes_gpc ()
For magic_quotes_gpc in php. ini, is it set to off or on?
Personal opinion, should be set to on
Summary:
1. For magic_quotes_gpc = on,
We may not use the string data of the input or output database
The operation of addslashes () and stripslashes () will also display the data normally.
If you perform addslashes () processing on the input data,
In this case, you must use stripslashes () to remove unnecessary backslash.
2. magic_quotes_gpc = off
You must use addslashes () to process the input data, but you do not need to use stripslashes () to format the output.
Because addslashes () does not write the backslash together into the database, it only helps mysql to complete SQL statement execution.
Supplement:
Magic_quotes_gpc: WEB Client Server; Time: When the request starts, for example, when the script is running.
Magic_quotes_runtime: The data read from the file, the exec () execution result, or the result obtained from the SQL query. function time: the data generated every time the script accesses the running state.
Code:
The Code is as follows:
<? Php
/*
Sometimes there are more than one variable to be submitted in a form. There may be a dozen or dozens of variables. Is it a little trouble to copy/paste the addslashes () at a time? Because the data obtained from the form or URL is in the form of an array, such as $ _ POST, $ _ GET), you can customize a function that can "scan the army ".
*/
Function quotes ($ content)
{
// If magic_quotes_gpc = Off, start processing
If (! Get_magic_quotes_gpc ()){
// Determine whether $ content is an array
If (is_array ($ content )){
// If $ content is an array, it will process every single
Foreach ($ content as $ key => $ value ){
$ Content [$ key] = addslashes ($ value );
}
} Else {
// If $ content is not an array, it will be processed only once.
Addslashes ($ content );
}
} Else {
// If magic_quotes_gpc = On, it will not be processed
}
// Returns $ content
Return $ content;
}
?>
I hope this article will help you with PHP programming.
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
