These two days to see a anti-SQL injection, I think it is necessary to summarize:
The first step is to do some PHP security configuration:
1 change display_errors to off in php.ini
Display_errors = OFF
Or in the PHP file before adding
error_reporting (0)
2 Turn off some "bad features"
1) Turn off the Magic quotes function
Put MAGIC_QUOTES_GPC = off in php.ini
Avoid repeated escapes with addslashes, etc.
2) off register_globals = Off
Put register_globals = off in php.ini
In the case of register_globals = On
3 Using Filter functions
Addslashes to these "'", "" "," \ "," NULL "to add the oblique bar" \ "", "\" "," \ \ "," \null ", Stripslashes is the opposite, it is important to note that the php.ini is open magic_quotes_gpc= On, open if using addslashes will repeat. So the use of the time to first GET_MAGIC_QUOTES_GPC () check
if (! GET_MAGIC_QUOTES_GPC ()) { $abcaddslashes($abc); }
if (php_version >= ' 4.3 '$string = mysql_real_escape_string($ String); }Else$string = mysql_escape_string($string ); }
4 filtering of non-text parameters
function_str_replace ($str ) { $str=Str_replace(" ","",$str); $str=Str_replace("\ n", "",$str); $str=Str_replace("\ R", "",$str); $str=Str_replace("‘","",$str); $str=Str_replace(‘"‘,"",$str); $str=Str_replace("or", "",$str); $str=Str_replace("and", "",$str); $str=Str_replace("#","",$str); $str=Str_replace("\\","",$str); $str=Str_replace("-- ","",$str); $str=Str_replace("null", "",$str); $str=Str_replace("%","",$str); //$str = Str_replace ("_", "", $str); $str=Str_replace(">", "",$str); $str=Str_replace("<", "",$str); $str=Str_replace("=","",$str); $str=Str_replace("Char", "",$str); $str=Str_replace("Declare", "",$str); $str=Str_replace("Select", "",$str); $str=Str_replace("Create", "",$str); $str=Str_replace("delete", "",$str); $str=Str_replace("Insert", "",$str); $str=Str_replace("Execute", "",$str); $str=Str_replace("Update", "",$str); $str=Str_replace("Count", "",$str); return $str; }
Anti-SQL injection attacks