Php function code for SQL injection and escape

This article mainly introduces the SQL injection and escape code. In fact, you can refer to the dedecms empire phpcms code during usage. I believe your code is safer.

This article mainly introduces the SQL injection and escape code. In fact, you can refer to the dedecms empire phpcms code during usage. I believe your code is safer.

SQL Injection:

Under normal circumstances:

Delete. php? Id = 3;
$ SQL = 'delete from news where id = '. $ _ GET ['id'];

Malicious situation:

Delete. php? Id = 3 or 1;
$ SQL = 'delete from news where id = 3 or 1'; ------- after this operation, all records will be deleted.

Relevant measures should be taken... For example, you can determine whether it is a number first.

Believe that the information sent from the client is always unreliable !!

Escape:

Sometimes data transmitted from the client may maliciously contain special characters, such as single quotes and slashes. Therefore, escape the characters and convert them into common characters, in this case, string addslashes (string $ str) is used. This function can escape a variable. However, if the elements in the logarithm group are escaped, use the foreach loop array, as shown below:

The Code is as follows:

Foreach ($ _ POST as $ k => $ v ){
If (is_string ($ v )){
$ _ POST [$ k] = addslashes ($ v );
}
}

However, if the array contains an array, it is required to recursively escape it.

Array_walk_recursive (array & $ input, callback $ funcname [, mixed $ userdata])

Apply the User-Defined Function funcname to each cell in the array. This function is recursive to a deeper array. In typical cases, funcname accepts two parameters. The value of the input parameter is the first and the key name is the second. If the optional parameter userdata is provided, it is passed to callback funcname as the third parameter. Returns TRUE if the call succeeds, or FALSE if the call fails.

That is to say, a user-defined function must be able to receive at least two parameters, while addslashes () can only receive one parameter. Therefore, the User-Defined Function is as follows:

The Code is as follows:

Function a (& $ v, $ k ){
$ V = addslashes ($ v );
}
Array_pai_recursive (& $ arr, 'A ');

Automatic escape:

In PHP, there is a concept of magic quotes. How to open it? A: in PHP. ini, magic_quotes_gpc = On; restart apache.

After the magic quotes are opened, the system automatically escapes the $ _ GET, $ _ POST, and $ _ COOKIE data. If you manually escape the data again without knowing it, if you want to properly escape servers, website spaces, and virtual hosts in Hong Kong, you must first determine whether the magic symbol has been opened and use magic_quotes_gpc () to determine whether the magic symbol has been opened, if no value is required, 0 is returned, and 1 is returned.

The Code is as follows:

If (! Get_magic_quotes_gpc () {// if the magic quotes are not opened

Function _ addslashes (& $ v, $ k ){
$ V = addslashes ($ v );
}
Array_pai_recursive (& $ _ GET, '_ addslashes ');
Array_pai_recursive (& $ _ POST, '_ addslashes ');
Array_pai_recursive (& $ _ COOKIE, '_ addslashes ');
}