Analysis of PHP protection against injection attacks

This article mainly introduces the PHP method to prevent injection attacks. The example analyzes the related string functions and special character processing, for more information about how to prevent injection attacks, see this document. Share it with you for your reference. The specific analysis is as follows:

The code is as follows:

<? Php
$ Str = "Who's John Adams? ";
Echo $ str. "This is not safe in a database query.
";
Echo addslashes ($ str). "This is safe in a database query .";
?>

Output:
Who's John Adams? This is not safe in a database query.
Who \'s John Adams? This is safe in a database query.

The code is as follows:

Function html ($ str)
{
$ Str = get_magic_quotes_gpc ()? $ Str: addslashes ($ str );
Return $ str;
}

Get_magic_quotes_gpc:
Obtain the value of magic_quotes_gpc in the PHP environment variable.
Syntax: long get_magic_quotes_gpc (void );
Return value: long integer
Function type: PHP system function

Description:

This function obtains the magic_quotes_gpc (GPC, Get/Post/Cookie) value set in the PHP environment. If the return value is 0, this function is disabled. if the return value is 1, this function is enabled. When magic_quotes_gpc is enabled, all '(single quotation marks),' (double quotation marks), \ (backslash) and null characters are automatically converted to overflow characters containing the backslash.

The code is as follows:

$ Str = "Is your name O 'Reilly? ";
// Output: Is your name O \ 'Reilly?
Echo addslashes ($ str );
?>
Get_magic_quotes_gpc ()

This function gets the magic_quotes_gpc (GPC, Get/Post/Cookie) value of the variable configured in the PHP environment. If 0 is returned, this function is disabled. if 1 is returned, this function is enabled. When magic_quotes_gpc is enabled, all '(single quotation marks),' (double quotation marks), \ (backslash) and null characters are automatically converted to overflow characters containing the backslash.

Magic_quotes_gpc

For magic_quotes_gpc in php. ini, is it set to off or on?

Personal opinion, should be set to on

Summary:

1. for magic_quotes_gpc = on,

We may not use the string data of the input or output database
The operation of addslashes () and stripslashes () will also display the data normally.

If you perform addslashes () processing on the input data,
In this case, you must use stripslashes () to remove unnecessary backslash.

2. magic_quotes_gpc = off

You must use addslashes () to process the input data, but you do not need to use stripslashes () to format the output.
Because addslashes () does not write the backslash together into the database, it only helps mysql to complete SQL statement execution.

Supplement:

Magic_quotes_gpc: WEB client server; TIME: When the request starts, for example, when the script is running.
Magic_quotes_runtime: The data read from the file, the exec () execution result, or the result obtained from the SQL query. function Time: The data generated every time the script accesses the running state.

Code:

The code is as follows:

<? Php
/*
Sometimes there are more than one variable to be submitted in a form. There may be a dozen or dozens of variables. Is it a little trouble to copy/paste the addslashes () at a time? Because the data obtained from the form or URL is in the form of an array, such as $ _ POST, $ _ GET), you can customize a function that can "scan the Army ".
*/
Function quotes ($ content)
{
// If magic_quotes_gpc = Off, start processing
If (! Get_magic_quotes_gpc ()){
// Determine whether $ content is an array
If (is_array ($ content )){
// If $ content is an array, it will process every single
Foreach ($ content as $ key => $ value ){
$ Content [$ key] = addslashes ($ value );
}
} Else {
// If $ content is not an array, it will be processed only once.
Addslashes ($ content );
}
} Else {
// If magic_quotes_gpc = On, it will not be processed
}
// Returns $ content
Return $ content;
}
?>

I hope this article will help you with PHP programming.