function Strinput ($input)
{
$input =strval ($input);
$replace =array (' Union ', ' load ', ' and ', ' or ', ' select ', ' Update ', ' Insert ', ' delete ', ' create ', ' char ', ' AscII ', ' ord ', ' Conv ', ' = ', '--', ' # ', ' * ', '% ', ' _ ', ' \ \ ', ' \ ', ' \ ' ";
$input =str_ireplace ($replace, "0", $input);
return $input;
}
Define a filter function that passes through the string data for all GPC. Does this completely prevent MySQL injection attacks?
Reply content:
This type of filtering can only add some trouble to the injectors, far from being completely defensive.
1, the injector can use Select to replace Select
2. The injector can use SEL
SelectECT to allow you to filter over and try to get select
3, the injector can use the URL code to replace all input
4, the injection can ... In many ways, try out what your filter function looks like.
The skills of you and the injectors can be continuously promoted in the tug of the leak.
It is not until you have used one of the following methods to embark on a safe journey:
1, white list. Strict definition can only enter which characters to query, others are not.
2, parameterized query. Compile the SQL language first, and then substitute the parameters. At this point, even if he submits the select * from password where table=admin will only query this long string of characters without executing the SQL statement. The example below PHP is said by Li Shiguang. This function to completely prevent MySQL injection attack is still relatively difficult, attack and prevention is dynamic, if once and for all the defense is difficult.
1, for some security defense, may not be able to bypass the current, but with the attack technology research may appear bypass method, such as Dedecms, DZ and other security defenses are often bypass.
2. Depending on your business, the code that implements your business may provide a way to bypass it. For example, a simple search service might call the UrlDecode decoding function in the following code:
.....
$q = strinput ($_get[' query ');
$q = UrlDecode ($q);
$sql = "SELECT * from table where key= '". $q. "'";
.....
All the filtering you've done in front of UrlDecode is futile.
To minimize security breaches is not just SQL injection, but the right thing to do in a proper place. This may be to learn some security knowledge, such as "White Hat web Security," "Web Front End Hacker" is a good web security books.
PHP Secure online documentation (e-text): Survive the deep end:php security
About MySQL protection is actually very simple.
1. Use PDO::p repare pdo::bindparam to filter input parameters
2. Convert HTML to entity htmlspecialchars using PHP's PDO extension to use the database, the extended encapsulated classes and methods have taken into account the anti-injection. Use PHP's security function to escape the variable when you query. It is recommended to use parameterized queries or white lists.
The blacklist is almost always undesirable at all times. Please use PDO do not be smart to filter, there will always be missing places, you can't filter out.
Please use PDO + parameter binding, once and for all, solve everything. You have to notice that this is likely to filter the user's legal input.
There are two common ways to filter SQL injection:
1 mysql_real_escape_string
2 PDO's Prepare+bind
In addition, the security of the site is not only SQL injection, but also to consider CSRF and XSS and so on. String filtering:
1>mysql_real_escape_string
2>pdo::p repare
