Effective methods for php to prevent SQL Injection

To ensure data security and prevent injection of strings that need to be filtered out by $ _ GET, I also wrote the filter function at the beginning.

We can see a built-in filter function in the php tutorial, so we recommend addslashes to you.
An example of using addslashes () is when you want to input data to the database tutorial. For example

Insert to the database, which requires escaping. Most databases use it as the Escape Character: o'reilly. This

Data can be put into the database without inserting additional data. When the PHP Command magic_quotes_sybase is

When it is set to on, it means that when 'is inserted,' is used for escape.
Example:

 

Mysql tutorials and php comes with many functions that can handle character issues. Below are some frequently used functions.
Pstutorial: Since php6 does not support magic_quotes_gpc at the beginning, the following things are assumed to be

Magic_quotes_gpc = off (I don't know what new things will happen to php6 ....)

Mysql_real_escape_string ()
Definition: special characters in strings used in function escape SQL statements.
Syntax: mysql_real_escape_string (string, connection)
Note: This function escapes special characters in string and considers the current character set to be connected. Therefore, it can be safely used

Mysql_query ().
Because the instance code is too long, a function explanation link is provided.

This function escapes special characters in string and considers the connected current character set. Therefore, it can be safely used

Mysql_query ().
Database attacks. This example demonstrates that if we do not apply the mysql_real_escape_string () function to the user name and password

What will happen:

<? Php
$ Con= mysql_connect ("localhost", "hello", "321 ");
If (! $ Con)
{
Die ('could not connect: '. mysql_error ());
}

$ SQL = "SELECT * FROM users
WHERE user = '{$ _ POST ['user']}'
AND password = '{$ _ POST ['pwd']}' ";
Mysql_query ($ SQL );

// Do not check the user name and password
// Any content entered by the user, for example:
$ _ POST ['user'] = 'john ';
$ _ POST ['pwd'] = "'OR'' = '";

// Some code...

Mysql_close ($ con );
?> The SQL query will be like this:

SELECT * FROM users
WHERE user = 'john' AND password = ''OR'' = '', which means no user needs to enter a valid password.

Login

AddSlashes ()
Definition: The addslashes () function adds a backslash before a specified predefined character.
Syntax: addslashes (string)
Note: by default, the PHP Command magic_quotes_gpc is on.

Data automatically runs addslashes (). Do not use strings that have been escaped by magic_quotes_gpc

Addslashes (), because this will lead to double escape. In this case, you can use the Function

Get_magic_quotes_gpc.
Because the instance code is too long, a function explanation link is provided.
Related functions

 

<? Php
$ Str = "Is your name O 'Reilly? ";

// Output: Is your name O 'Reilly?
Echo addslashes ($ str );
?>

StripSlashes () Remove backslash characters
 
The stripslashes () function deletes the backslash added by the addslashes () function.

Syntax
Stripslashes (string)

<? Php
Echo stripslashes ("Who's John Adams? ");
?>