The way to clear whitespace is unsafe, in part because there are a lot of spaces in the characters, such as "The problem with addslashes is that hackers can use 0xbf27 instead of single quotes, and addslashes just modifies 0xbf27 to 0xbf5c27 to become a valid multibyte character , the 0xbf5c will still be considered as single quotes, so addslashes cannot intercept successfully. "
It is best to follow the specific parameters required to verify that the calibration is an int, etc., plus the parameters of the database operation method. In fact, this is the database of SQL problem, should be from the source database itself to solve, but some database slip to provide the corresponding method.
SQL injection attacks are the most common means by which hackers attack websites. If your site does not use strict user input validation, it is often vulnerable to SQL injection attacks. SQL injection attacks are typically implemented by submitting bad data or query statements to the site database, which is likely to expose, change, or delete records in the database.
In order to prevent SQL injection attacks, PHP comes with a function to process the input string, the input can be in the lower level of security preliminary processing, also known as Magic Quotes. (PHP.ini MAGIC_QUOTES_GPC). If the MAGIC_QUOTES_GPC option is enabled, then the single quotation marks, double quotes, and some other characters in the input string will be automatically preceded by a backslash \.
But Magic quotes is not a very general solution, it does not block all potentially dangerous characters, and magic quotes is not enabled on many servers. So there are a number of other ways we need to prevent SQL injection.
Many databases themselves provide this input data processing capability. For example, PHP's MySQL operator function has functions such as addslashes (), mysql_real_escape_string (), mysql_escape_string (), which can escape special characters and characters that may cause errors in database operations. So what's the difference between these three function functions? Let's go over the details below.
Although many PHP programmers in the country still rely on addslashes to prevent SQL injection, it is recommended to strengthen Chinese to prevent SQL injection check. The problem with addslashes is that hackers can use 0xbf27 instead of single quotes, and addslashes just modifies 0xbf27 to 0xbf5c27 as a valid multibyte character, where 0xbf5c is still considered a single quote, So addslashes can't intercept successfully.
Of course addslashes is not useless, it is used for single-byte string processing, multibyte characters or mysql_real_escape_string bar.
Another example of GET_MAGIC_QUOTES_GPC in the PHP manual:
if (!GET_MAGIC_QUOTES_GPC ()) {
$lastname = addslashes ($_post[' LastName ');
} else {
$lastname = $_post[' LastName ');
}
It is best to check the $_post[' LastName ' If the MAGIC_QUOTES_GPC is already open.
Again, the difference between the 2 functions of mysql_real_escape_string and mysql_escape_string:
Mysql_real_escape_string must be used in cases (PHP 4 >= 4.3.0, PHP 5). Otherwise you can only use mysql_escape_string, the difference between the two is: Mysql_real_escape_string consider the current character set of the connection, and mysql_escape_string not consider.
To summarize:
* Addslashes () is forcibly added \;
* Mysql_real_escape_string () will determine the character set, but the PHP version is required;
* Mysql_escape_string does not consider the current character set of the connection.
The prevention of SQL injection in DZ is to use the Addslashes function, while there are some substitutions in dthmlspecialchars this function $string = Preg_replace ('/& (# (\d{3,5}|x[ A-FA-F0-9]{4}));)/', ' &\\1 ', this substitution solves the problem of injection, but also solves some problems of Chinese garbled
The above describes the slash PHP addslashes and other ways to clear the space is not safe, including the slash aspect of the content, I hope to be interested in PHP tutorial friends helpful.