SQL injection Security

Briefly:

The so-called SQL injection attack is an attacker inserting a SQL command into a Web form's input domain or a page request query string, tricking the server into executing a malicious SQL command.

In some forms, user-entered content is used directly to construct (or influence) dynamic SQL commands, or as input parameters to stored procedures, which are particularly susceptible to SQL injection attacks.

MAGIC_QUOTES_GPC and addslashes addcslashes differences:

1. Condition: Magic_quotes_gpc=off

The string written to the database has not been processed by any filtering. The string read from the database has not been processed.

Data: $data = ' snow\ ' \ ' \ ' sun '; (There are four consecutive single quotes between snow and sun).

Action: Writes the string: "snow\ \ \" \ "Sun" to the database,

Result: A SQL statement error occurred and MySQL failed to complete the SQL statement and write to the database successfully.

Database save format: no data.

Output data format: no data.

2. Condition: Magic_quotes_gpc=off

The string written to the database is processed by the function addslashes (). The string read from the database has not been processed.

Data: $data = ' snow\ ' \ ' \ ' sun '; (four consecutive single quotes between snow and sun)

Action: Write the string: "snow\ \ \" \ "Sun" to the database

Result: SQL statement executes successfully and data is written to database

Database save format: snow\ ' \ ' \ ' sun (same as input)

Output data format: snow\ ' \ ' \ ' sun (same as input)

Description: The Addslashes () function converts the single quotation mark to \\\ ' escape character to make the SQL statement execute successfully. but \\\ ' is not stored as data in the database, the database is saved snow\ ' \ ' \ ' sun and not our imagination snow\\\ ' \\\ ' \\\ ' \\\ ' sun

Description: An error occurred in the SQL statement when writing to the database for unprocessed single quotes

3. Condition: Magic_quotes_gpc=on

The string written to the database has not been processed. The string read from the database has not been processed.

Data: $data = ' snow\ ' \ ' \ ' sun '; (four consecutive single quotes between snow and sun)

Action: Write the string: "snow\ \ \" \ "Sun" to the database

Result: SQL statement executes successfully and data is written to database

Database save format: snow\ ' \ ' \ ' sun (same as input)

Output data format: snow\ ' \ ' \ ' sun (same as input)

Description: Magic_quotes_gpc=on an escape character that converts a single quote to \\\ ' to make the SQL statement execute successfully. but \\\ ' did not act as data into the database, the database was saved by snow\ ' \ ' \ ' sun, and not the snow\\\ ' \\\ ' \\\ ' \\\ ' sun that we imagined.

4. Condition: Magic_quotes_gpc=on

The string written to the database is processed by the function addlashes (). The string read from the database has not been processed.

Data: $data = ' snow\ ' \ ' \ ' sun '; (four consecutive single quotes between snow and sun)

Action: Write the string: "snow\ \ \" \ "Sun" to the database

Result: SQL statement executes successfully and data is written to database

Database save format: snow\\\ ' \\\ ' \\\ ' \\\ ' Sun (with escape characters added)

Output data format: snow\\\ ' \\\ ' \\\ ' \\\ ' Sun (with escape characters added)

Description: Magic_quotes_gpc=on an escape character that converts a single quote to \\\ ' to make the SQL statement execute successfully

Addslashes also converts the single quotation marks that will be written to the database to \\\ ', which is written as data

Database, the database is saved by snow\\\ ' \\\ ' \\\ ' \\\ ' sun

Summarized as follows:

1, for the situation of Magic_quotes_gpc=on

We can not make the string data of the input and output database

Addslashes () and Stripslashes (), the data will also be displayed normally.

If you do a addslashes () processing of the input data at this time, then you must use Stripslashes () to remove the extra backslash when outputting.

2, for the situation of Magic_quotes_gpc=off

The input data must be processed using addslashes (), but does not require the use of stripslashes () to format the output

Because Addslashes () did not write the backslash to the database, it only helped MySQL complete the execution of the SQL statement.

Add:

The scope of MAGIC_QUOTES_GPC is: Web client server; Action time: When the request starts, for example when the script is running.

Magic_quotes_runtime scope: Data read from a file or executed by exec () or from a SQL query, time: Every time the script accesses the data that is generated in the running state.

Other than that:

The action of the Addslashes () function is to add a backslash escape character to a part of a character in a string, the Addslashes () function only adds escape for 4 characters, single quote "'", double quote "" ", backslash" \ \ ", and null (" \\0 ").

The function of the addcslashes () function is also to add escape to the string, but the escaped character must be specified by the second argument, the second argument is too difficult to use, skipping.

The Stripslashes () function is the opposite of the addslashes () function, which can escape the 4 characters escaped by the addslashes () function.

Similarly, the stripcslashes () function has the opposite effect as the addcslashes () function.

The function of the Quotemeta () function is to escape 11 specific characters, including:. \\ + * ? [ ^ ] ($) seems to be used in the regular.

echo addslashes (\ "\ ' \\\" \ \ ");

Show \\\ ' \\\ ' \\\\

echo addcslashes (\ "zoo[\ '. \ ']\", \ ' zo\ ');

Show \\z\\o\\o[\ '. \ '

echo addcslashes (\ "z\\\" oo[\ '. \ ']\ ", \ ' \\\ ' \\\" \ ');

Show z\\\ "oo[\\\ '. \\\ ')

echo addcslashes (\ ' foo[]\ ', \ ' A. Z\ ');

Show \\f\\o\\o\\[\ \]

Echo stripslashes (addslashes (\ "\ ' \\\" \ \ "));

Show \ ' \ ' \ \

Echo stripcslashes (addcslashes (\ "z\\\" oo[\ '. \ ']\ ', \ ' \\\ ' \\\ "\ '));

Show z\ "Oo[\".

echo Quotemeta (\ ". \ \ * \");

Displays \ \. \\\\ \\+ \\* \\?

Add:

Get_magic_quotes_gpc

Gets the value of the PHP environment variable MAGIC_QUOTES_GPC.

Syntax: Long get_magic_quotes_gpc (void);

Return value: Returns 0 to turn off this function;

Returning 1 indicates that this feature is open.

When MAGIC_QUOTES_GPC is turned on, all the ' (single quotes), ' (double quotes), \ (backslash) and null characters are automatically converted to the escape character that contains the backslash.

Solution, check the type of values submitted by the User:

As we've seen in the previous discussion, the main sources of SQL injection so far are often on an unexpected form entry.

However, when you provide an opportunity to submit certain values through a single table, you should have a considerable advantage in determining what kind of input you want to get-which makes it easier for us to check the validity of the user portal.

In previous articles, we have discussed such a verification problem, so here we simply summarize the points we discussed at that time.

If you are expecting a number, then you can use one of the following techniques to make sure that you get really a number type:

　　· Use the Is_int () function (or Is_integer () or Is_long ()).

· Use the GetType () function.

· Use the Intval () function.

· Use the Settype () function.

To check the length of the user input, you can use the strlen () function.

To check if a desired time or date is valid, you can use the Strtotime () function. It is almost certain to ensure that a user's entry does not contain a semicolon character (unless punctuation can be legitimately included).

You can easily do this with the help of the Strpos () function, as follows:

if (Strpos ($variety, '; ')) exit ("$variety is a invalid value for variety!");

As we mentioned earlier, as long as you carefully analyze your user input expectations, then you should be able to easily check out many of the problems that exist in them.

Filter out every suspicious character from your query.

Although we have discussed how to filter out dangerous characters in previous articles, let us briefly emphasize and summarize this question again:

· Do not use the MAGIC_QUOTES_GPC directive or its "behind the Scenes"-addslashes () function, which is restricted in application development, and this function requires additional steps-using the Stripslashes () function.

· In contrast, the mysql_real_escape_string () function is more common, but it has its own drawbacks.

Mysql_real_escape_string-escapes special characters in the string used in the SQL statement, taking into account the current character set of the connection.

Difference:

Addslashes () is forcibly added;

Mysql_real_escape_string () will determine the character set, but the PHP version is required;

Mysql_escape_string does not consider the current character set of the connection.

SQL injection Security