How does addslashes () and php prevent mysql injection?

1. the form data displays the form data. 2. php has automatically added 3. mysql data (the bottom row) is written to mysql. I suspect that it was hidden by the mysql software. go to the command line to check whether the website has been accessed by the official website www. php. netm...

1. form data

Displays the form data.

2. form data captured by php

\ Has been automatically added \

3. mysql data (the bottom row)

Not written to mysql

4. The suspect is that the mysql software has hidden it. go to the command line to see it:

No \

According to the official statement
Http://www.php.net/manual/zh/function.addslashes.php

An example of using addslashes () is when you want to input data into the database. For example, insert the name 'Reilly into the database, which requires escaping. We strongly recommend that you use the escape function specified by the DBMS (for example, MySQL is mysqli_real_escape_string (), PostgreSQL is pg_escape_string (), but if the DBMS you use does not have an escape function, and use \ to escape special characters. you can use this function. Only to get the data inserted into the database, the extra \ will not be inserted. When the PHP command magic_quotes_sybase is set to on, it means that when 'is inserted,' is used for escape.

Problem:
1. what is the mechanism of the addsleshes () function to prevent injection?
2. when is stripslashes () used?
3. is it better to directly use htmlspecialchars () to escape the data submitted in the form and store it in the database?
4. what is the way to prevent SQL injection?

.

Reply content:

1. form data

Displays the form data.

2. form data captured by php

\ Has been automatically added \

3. mysql data (the bottom row)

Not written to mysql

4. The suspect is that the mysql software has hidden it. go to the command line to see it:

No \

According to the official statement
Http://www.php.net/manual/zh/function.addslashes.php

An example of using addslashes () is when you want to input data into the database. For example, insert the name 'Reilly into the database, which requires escaping. We strongly recommend that you use the escape function specified by the DBMS (for example, MySQL is mysqli_real_escape_string (), PostgreSQL is pg_escape_string (), but if the DBMS you use does not have an escape function, and use \ to escape special characters. you can use this function. Only to get the data inserted into the database, the extra \ will not be inserted. When the PHP command magic_quotes_sybase is set to on, it means that when 'is inserted,' is used for escape.

Problem:
1. what is the mechanism of the addsleshes () function to prevent injection?
2. when is stripslashes () used?
3. is it better to directly use htmlspecialchars () to escape the data submitted in the form and store it in the database?
4. what is the way to prevent SQL injection?

.

As written in the document,addslashesA slash is added before the quotation marks of the parameter.
Also, for the data you print, there is a slash before the parameter.
But there should be no slashes in the database!
addslashesHow to prevent injection is to preventSQLWhen the input parameters are directly applied, resulting in injectingSQLTo prevent injection.
For example$sql = "SELECT * FROM user WHERE id = '$id'";If$idThe parameter was intentionally operated1' OR '1 = 1', It is not an injection.SQL?
If you useaddslashesAdd a slash,$idQuotation marks in will be converted, and errors will not be generated.SQL. However, these results do not affect data writing, because these slashes will be converted back when data is actually inserted and updated.

Defend against SQL injection (input database ):
PDO bindParam or mysqli_stmt_bind_param: Avoid SQL injection.
Addslashes: escape all single quotes, double quotes, backslash, and NUL's with a backslash to Avoid SQL injection to some extent.
Mysqli_real_escape_string: Escape special characters in SQL statements.
With bind_param, you do not need to use addslashes, mysqli_real_escape_string, magic_quotes_gpc and other functions.
For example:

PDO MySQL: // method 1 (question mark placeholder) $ stmt = $ db-> prepare ('update posts SET post_title = ?, Post_content =? WHERE id =? '); $ Stmt-> execute (array ($ title, $ content, $ id); // All values are treated as PDO: PARAM_STR processing // method 2 (name placeholder) $ stmt = $ db-> prepare ('update posts SET post_title =: title, post_content =: content WHERE id =: ID'); $ stmt-> execute (array (': title '=> $ title,': content' => $ content, ': ID' => $ id); // All values are treated as PDO :: PARAM_STR processing // method 3 $ stmt = $ db-> prepare ('update posts SET post_title = ?, Post_content =? WHERE id =? '); $ Stmt-> bindParam (1, $ title, PDO: PARAM_STR); $ stmt-> bindParam (2, $ content, PDO: PARAM_STR ); $ stmt-> bindParam (3, $ id, PDO: PARAM_INT); $ stmt-> execute (); // method 4 $ stmt = $ db-> prepare ('update posts SET post_title =: title, post_content =: content WHERE id =: ID '); $ stmt-> bindParam (': title', $ title, PDO: PARAM_STR); $ stmt-> bindParam (': content', $ content, PDO: PARAM_STR ); $ stmt-> bindParam (': ID', $ id, PDO: PARAM_INT); $ stmt-> execute (); MySQLi: // MySQLi only needs to run bind_param once, it is simpler than PDO, and MySQLi does not support name placeholders. $ stmt-> bind_param ('ssi ', $ title, $ content, $ id );

Htmlspecialchars is used to defend against XSS attacks when HTML is output, which is different from SQL injection.