Differences between several built-in functions of PHP against SQL injection attacks

SQL injection attacks are the most common means for hackers to attack websites. If your site does not use strict user input tests, it is often vulnerable to SQL injection attacks. SQL injection attacks are usually implemented by submitting bad data or query statements to the site database, which may expose, change, or delete records in the database.

To prevent SQL injection attacks, PHP comes with a function that can process input strings and perform initial security processing on the input at a lower level, that is, Magic Quotes. (Php. ini magic_quotes_gpc ). If the magic_quotes_gpc option is enabled, the single quotation marks, double quotation marks, and other characters in the input string are automatically added with a backslash.

However, Magic Quotes is not a common solution. It does not block all potentially dangerous characters and Magic Quotes is not enabled on many servers. Therefore, we also need to use other methods to prevent SQL injection.

Many databases provide such input data processing functions. For example, MySQL operation functions in PHP Include addslashes (), mysql_real_escape_string (), mysql_escape_string (), and other functions. special characters and characters that may cause database operation errors can be escaped. So what are the differences between the three function functions? The following is a detailed description.

Although many PHP programmers in China are still relying on addslashes to prevent SQL injection, we recommend that you enhance Chinese characters to prevent SQL Injection checks. The problem with addslashes is that hackers can use 0xbf27 to replace single quotes, while addslashes only changes 0xbf27 to 0xbf5c27 to a valid multi-byte character, where 0xbf5c is still considered as single quotes, therefore, addslashes cannot be intercepted.

Of course, addslashes is not useless either. It is used for processing single-byte strings and mysql_real_escape_string is used for multi-byte characters.

In addition, the example of get_magic_quotes_gpc in the php manual is as follows:
If (! Get_magic_quotes_gpc ()){
$ Lastname = addslashes ($ _ POST ['lastname']);
} Else {
$ Lastname = $ _ POST ['lastname'];
}
If magic_quotes_gpc is enabled, check $ _ POST ['lastname.

Let's talk about the differences between the two functions mysql_real_escape_string and mysql_escape_string:
Mysql_real_escape_string can be used only when (PHP 4> = 4.3.0, PHP 5. Otherwise, only mysql_escape_string can be used. The difference between mysql_real_escape_string and mysql_escape_string is not considered because of the current character set to be connected.

Summary:

* Addslashes () is forcibly added;
* Mysql_real_escape_string () determines the character set, but it is required for the PHP version;
* Mysql_escape_string does not consider the connected current character set.

In dz, the function addslashes is used to prevent SQL injection, in the dthmlspecialchars function, replace $ string = preg_replace (/& (# (d {3, 5} | x [a-fA-F0-9] {4 }));)/, & \ 1, which solves the injection problem and Chinese garbled characters.