Go PHP prevents SQL injection attacks

If the user's input is inserted into the SQL query without modification, the application will be susceptible to SQL injection, as follows:

$unsafe _variable = $_post[' user_input ');

mysql_query (' INSERT into ' table ' (' column ') VALUES (' $unsafe _variable ') ');

This is because the user is able to input like value '); DROP the code such as TABLE table;--, and the query becomes:

INSERT into ' table ' (' column ') VALUES (' value '); DROP TABLE table;--')

How can we prevent such a situation from happening?

The highest support rate answered:

use preprocessing statements to parameterize a query. These are SQL statements that are sent and parsed by the database server independently of any parameters. This approach has made it impossible for an attacker to inject malicious code.

You basically have two choices to achieve:

1. Using PDO:

$stmt = $pdo->prepare (' SELECT * FROM employees WHERE name =: Name ');

$stmt->execute (Array (' name ' = $name));

foreach ($stmt as $row) {

Do something with $row

}

2. Use mysqli:

$stmt = $dbConnection->prepare (' SELECT * FROM employees WHERE name =? ');

$stmt->bind_param (' s ', $name);

$stmt->execute ();

$result = $stmt->get_result ();

while ($row = $result->fetch_assoc ()) {

Do something with $row

}

Pdo

Note that when using PDO to access the MySQL database,by default, no use of theA true preprocessing statement. To solve this problem you must simulate the pre-processing statement of Jin Yong. An example of creating a link using PDO is as follows:

$dbConnection = new PDO (' Mysql:dbname=dbtest;host=127.0.0.1;charset=utf8 ', ' user ',
' Pass ');

$dbConnection->setattribute (Pdo::attr_emulate_prepares, false);

$dbConnection->setattribute (Pdo::attr_errmode, pdo::errmode_exception);

The error pattern in the above example is not strictly required, butIt's recommended to add it。 Such a script will not terminate with a fatal error in the event of an error, and he also gives the developer the opportunity to catch any error that the PDO exception throws.

The first line of setattribute () isMandatory, which tells PDO to disable the impersonation preprocessing statement and use the true preprocessing statement. This ensures that statements and values are not parsed by PHP until they are sent to the MySQL server (without the opportunity to inject malicious SQL into potential attackers).

Although you can set the character set in the options for the constructor, be aware that older versions of PHP (less than 5.3.6) automatically ignore character set parameters in the DSN.

Explain

The above code will let you pass the SQL statement passed to prepare to be parsed and compiled by the database server. You tell the database engine which parts to filter by specifying a parameter (which can be a question mark or a named parameter in the example above: name). Then you call execution, and the preprocessing statement and the parameter values you specify are combined.

It is important here that the parameter value is combined with the compiled statement, not with the SQL string. SQL injection is implemented by tricking the script with malicious strings when it creates SQL to send to the database. So by sending the actual SQL that is independent of the parameters, you limit the risk of things you don't want to happen. Any parameters that you send using a preprocessing statement are treated as strings only (although the database engine might do some optimizations, and then the parameters could become numbers). In the above example, if the $name variable contains ' Sarah ';D elete from Employees The result is just a search for the string "' Sarah ';D elete from Employees", you won't get an empty table.

Another benefit of using preprocessing statements is that if you execute the same statement multiple times in the same session, it will only be parsed and compiled once, which will give you some speed benefits. Now that you've asked how to insert, here's an example of using PDO:

$preparedStatement = $db->prepare (' INSERT into table (column)
VALUES (: Column) ');

$preparedStatement->execute (Array (' column ' = $unsafeValue));

Original: http://www.php100.com/html/it/focus/2014/1020/7539.html

Go PHP prevents SQL injection attacks