PHP Prevents SQL injection

When it comes to website security, you have to mention SQL injection (SQL injection), if you use ASP, SQL injection must have a deep understanding of PHP security is relatively high, this is because MYSQL4 the following version does not support sub-statements, and when PHP.ini magic_ When the QUOTES_GPC is on.

All of the ' (single quotes), ' (double quotes), \ (backslash) and null characters in the committed variable are automatically converted to escape characters with backslashes, which can cause a lot of trouble for SQL injection.

Please see clearly: "Trouble" is not meant to prevent SQL injection of PHP, the book describes the use of changes to inject the code to bypass the escape method, such as the SQL statement into ASCII encoding (similar to: char ( 100,58,92,108,111,99,97,108,104,111,115,116 ...) Such a format), or turn into 16 encoding, and even other forms of encoding, so that the escape filter has been bypassed, then how to prevent it:

A Open MAGIC_QUOTES_GPC or use the addslashes () function

In the new version of PHP, even if MAGIC_QUOTES_GPC open, and then use the Addslashes () function, there will be no conflict, but in order to better achieve version compatibility, it is recommended to use the transfer function before the detection of MAGIC_QUOTES_GPC state, or directly shut down, The code is as follows:

PHP Prevention of SQL injection Code

    //Remove escape charactersfunction Stripslashes_array ($array) {if(Is_array ($array)) {foreach($array as$k =$v) {$array [$k]=Stripslashes_array ($v); }       } Else if(is_string ($array)) {$array=stripslashes ($array); }       return$array; } @set_magic_quotes_runtime (0); //Judging MAGIC_QUOTES_GPC status    if(@get_magic_quotes_gpc ()) {$_get=Stripslashes_array ($_get); $_post=Stripslashes_array ($_post); $_cookie=Stripslashes_array ($_cookie); }      

Remove MAGIC_QUOTES_GPC and then use the Addslashes function, the code is as follows:

PHP Prevention of SQL injection Code

$keywords = Addslashes ($keywords);
$keywords = Str_replace ("_", "\_", $keywords);//Escape "_"
$keywords = str_replace ("%", "\%", $keywords);//Escape "%"

The latter two Str_replace replacement escapes are designed to prevent hackers from converting SQL encoding for attacks.

b Force character formatting (type)

In many cases we need to use a URL like xxx.php?id=xxx, generally $id are integer variables, in order to prevent attackers to tamper with $id to attack statements, we should try to enforce the variable, the code is as follows:

PHP Prevention of SQL injection Code

$id =intval ($_get[' id ');

Of course, there are other variable types, and if necessary, try to force the formatting.

C Include variable quotes in SQL statements

This is simple, but it's easy to get into the habit, first look at these two SQL statements:

SQL code

SELECT * from article WHERE articleid= ' $id '
SELECT * from article WHERE articleid= $id

Both formulations are common in various programs, but the security is different, the first sentence because the variable $id in a pair of single quotes, so that we commit the variables are changed into a string, even if the correct SQL statement is not executed, and the second sentence is different, because the variable is not put in single quotes, All we have to commit, as long as there are spaces, the variables after that space are executed as SQL statements, so we have to get into the habit of quoting the variables in the SQL statement.

Pseudo-Static of D.url

URL pseudo-static is also URL rewriting technology, like discuz! Like, all the URLs are rewrite into similar xxx-xxx-x.html format, both for SEO, and to achieve a certain degree of security, but also a good way. But if you want to implement PHP to prevent SQL injection, you have to have a certain "regular" basis.

PHP Prevents SQL injection