For anti-injection, there is a problem with the statement syntax after the SQL query statement is escaped addslashes

Source: Internet
Author: User
"A project of Php+mysql"
There is a user, username is admin, password is admin.
The query statements are:

$sql="select * from table_project where a_username='{$username}' and a_password='{$password}';";

Then query:

$res=mysql_query($sql);……省略

Because of preventing SQL injection, I wanted to escape before the SQL statement query, so I escaped with Addslashes to the $sql statement, but it went wrong.

$sql=addslashes($sql);$res=mysql_query($sql);

You can log in with Admin,admin before the line of code that is escaped is added.
Add, after using Admin,admin login, catch the following error, ask Daniel how to break?

错误编号:1064错误内容:You have an error in your SQL syntax;check the manual that corresponds to your MySQL server version for the right syntax to use near '\'admin\' and a_password=\'21232f297a57a5a743894a0e4a801fc3\'' at line 1

Thanks a lot!

Reply content:

"A project of Php+mysql"
There is a user, username is admin, password is admin.
The query statements are:

$sql="select * from table_project where a_username='{$username}' and a_password='{$password}';";

Then query:

$res=mysql_query($sql);……省略

Because of preventing SQL injection, I wanted to escape before the SQL statement query, so I escaped with Addslashes to the $sql statement, but it went wrong.

$sql=addslashes($sql);$res=mysql_query($sql);

You can log in with Admin,admin before the line of code that is escaped is added.
Add, after using Admin,admin login, catch the following error, ask Daniel how to break?

错误编号:1064错误内容:You have an error in your SQL syntax;check the manual that corresponds to your MySQL server version for the right syntax to use near '\'admin\' and a_password=\'21232f297a57a5a743894a0e4a801fc3\'' at line 1

Thanks a lot!

A teenager, PDO is the king. Mysqli is OK.

php$db = new PDO('mysql:host=127.0.0.1;dbname=test;charset=utf8','root','rootpass');$stm = $db->prepare("select * from test where field = :value");$stm->bindValue(':value',$_GET['field'],PDO::PARAM_STR);$stm->execute();$rows = $stm->fetchAll(PDO::FETCH_ASSOC);var_dump($rows);

No mysqli can do.

php$db = new mysqli('127.0.0.1','root','rootpass','database_name');$stmt = $db->prepare("select * from test where field = ?");$stmt->bind_param('s',$_GET['field']);$stmt->execute();$rows = array();while ($row = $stmt->fetch()) array_push($rows,$row);var_dump($rows);

If your application uses only preprocessing statements, you can ensure that SQL injection does not occur.
------PHP Manual preprocessing statements

Give up mysql_query, use PDO, and also recommend not to use ADDSLASHES,MYSQLI or PDO has a ready-made escape method

$username = 'aaa';$password = 'bbb';$sql="select * from table_project where a_username='{$username}' and a_password='{$password}';";echo addslashes($sql);select * from table_project where a_username=\'aaa\' and a_password=\'bbb\';

The single quotation mark used to wrap the string is escaped, of course the error is.

It is also recommended to use PDO

All right, I'm a little white.
I escaped in the username variable, and I didn't escape the entire SQL statement, and then I was good.

$username=addslashes($username);$password=md5($password);$sql="select * from table_project where...;";

The password is MD5 converted, the user name is escaped with Addslashes, and then put in the SQL statement query, it seems that this is the line.
Do not know the general project is not the same way to deal with AH?

php$username=mysql_real_escape_string($username);$password=mysql_real_escape_string($password);$sql="select * from table_project where a_username='{$username}' and a_password='{$password}';";

Use PDO, parameterized queries, and do not use stitching strings. Note that using PDO requires that the function be first opened in php.ini

You cannot escape the entire SQL statement, only the variables that need to be escaped.

    $username=addslashes($username);    $sql="select * from table_project where a_username='{$username}' and a_password='{$password}';";

The Addslashes () function adds a backslash before the specified predefined character.
These predefined characters are:
Single quotation mark (')
Double quotation marks (")
Back slash ()
Null
and the meaning of adding \ is that MySQL treats it as a string.

You are not allowed to $sql. If you addslashes the entire $sql, you can print out your SQL statement, which is definitely not correct.

  • Related Article

    Contact Us

    The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

    If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

    A Free Trial That Lets You Build Big!

    Start building with 50+ products and up to 12 months usage for Elastic Compute Service

    • Sales Support

      1 on 1 presale consultation

    • After-Sales Support

      24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.