Effective methods for php to prevent SQL injection

To ensure data security and prevent injection of strings that need to be filtered out by $ _ GET, I also wrote the filter function at first, and then I saw a built-in filter function in php, therefore, we recommend addslashes to you. an example of using addslashes... to ensure data security and prevent injection of strings that need to be filtered out by $ _ GET, I also wrote the filter function at first, and then I saw a built-in filter function in php, therefore, we recommend addslashes to you.

An example of using addslashes () is that when you want to input data to the database, for example, inserting the name O 'Reilly into the database, you need to escape it, most databases use it as the escape character: O 'Reilly, so that data can be put into the database without any additional insert. when the PHP command magic_quotes_sybase is set to on, this means that 'will be used for escape when' is inserted.

Example:Mysql and php come with many functions that can handle character issues. Below are some frequently used functions.

Ps: Since php6 does not support magic_quotes_gpc at the beginning, the following things are assumed to be in the condition of magic_quotes_gpc = off (I don't know what new things will happen to php6 ....)

Mysql_real_escape_string ()

Definition: Special characters in strings used in function escape SQL statements.

Syntax: mysql_real_escape_string (string, connection)

Note: This function escapes special characters in string and considers the current character set to be connected. Therefore, this function can safely escape special characters in string and take into account the current character set to be connected, therefore, it can be safely used for mysql_query ().

Database attack. This example shows what will happen if we do not apply the mysql_real_escape_string () function to the user name and password:

The SQL query will be like this:

SELECT * FROM users WHERE user = 'John' AND password = ''OR'' = '', which means that any user can log in without entering a valid password.

AddSlashes ()

Definition: The addslashes () function adds a backslash before a specified predefined character.

Syntax: addslashes (string)

Note: By default, the magic_quotes_gpc command of PHP is on, and addslashes () is automatically run for all GET, POST, and COOKIE data (). Do not use addslashes () for strings that have been escaped by magic_quotes_gpc, because this will lead to double-layer escape. in this case, you can use a function.

Get_magic_quotes_gpc:

StripSlashes () removes the backslash character. the stripslashes () function deletes the backslash added by the addslashes () function.

Syntax: stripslashes (string)

Address:

Reprinted at will, but please attach the article address :-)