How MySQL anti-injection and some anti-injection function usage Summary in PHP

Simply determine if there is an injection vulnerability and how it works. Anti-injected code actually come and go are those combinations, and then according to their own program code, it is important to know the principle, why filter these characters, character what harm.

SQL statements such as: Select  * from  phpben where id = 1

1. mysql Injection statement

(1) No user name and password

Normal statement  $sql = "SELECT * from Phpben where user_name= ' admin ' and pwd = ' 123 '";  In the User name box, enter ' or ' = ' or ' or ' or ' or 1 = ' 1 then SQL as follows  $sql = "SELECT * from Phpben where user_name= ' or ' = ' or ' and pwd = '";  $sql = "SELECT * from Phpben where user_name= ' or 1= ' 1 ' and pwd = '";

(2) Use a user without entering a password.

The normal statement  $sql = "SELECT * from Phpben where user_name= ' $username ' and pwd = ' $pwd '";  The user name used is benwin the user name box input benwin ' #  password is available, then $sql becomes  $sql = "SELECT * from Phpben where user_name= ' Benwin ' # ' and pwd = ' $pwd ' ";

This is because one of the notes in MySQL is "#", and the above statement has the following note, so the password can be entered without input or any input. Some people on the internet said "/*" to note that the author would like to mention is only the beginning note that the note does not end "* *", MySQL will error, also not say "/**/" can not note, but it is difficult to add the "* *" to end the note, and "–" can also note the MySQL but note "–" After at least one space is the "–", of course, the anti-injection code to take three kinds of considerations, it is worth mentioning that many anti-injection code does not take the "–" into the anti-injection range.

(3) Guess the password of a user

The normal statement  $sql = "SELECT * from phpben.com where user_name= ' $username ' and pwd = ' $pwd '";  In the Password input box, enter "Benwin" and Left (pwd,1) = ' P ' # ", then $sql is  $sql =" SELECT * from phpben.com where user_name= ' Benwin ' and left (p wd,1) = ' P ' # ' and pwd = ' $pwd ';

(4) Right to insert data

Normal statement, rank 1  $sql = "INSERT INTO phpben.com (' user_name ', ' pwd ', ' Level ') VALUES (' Benwin ', ' iampwd ', 1)";  Change the statement into $sql by changing the password string  = "INSERT INTO phpben.com (' user_name ', ' pwd ', ' Level ') VALUES (' Benwin ', ' iampwd ', 5) # ', 1)";  $sql = "INSERT INTO phpben.com (' user_name ', ' pwd ', ' Level ') VALUES (' Benwin ', ' iampwd ', 5)-  ', 1 '); In this way, a user with a privilege of 1 is entitled to Level 5.

(5) Malicious updates and deletions

Normal statement  $sql = "Update phpben set ' user_name ' = ' benwin ' where ID =1";  After injection, the malicious code is "1 or id>0"  $sql = "Update phpben set ' user_name ' = ' benwin ' where ID =1 or id>0";  Normal statement  $sql = "Update phpben set  ' user_name ' = ' benwin ' where id=1";  After injection  $sql = "Update phpben set  ' user_name ' = ' benwin ' where id>0# ' where id=1 ';  $sql = "Update phpben set  ' user_name ' = ' benwin ' where id>0--' where id=1 ';

(6) Injection SQL for guessing table information

Normal statement  $sql = "SELECT * from Phpben1 where ' user_name ' = ' Benwin '";  Guess the name of the table, running normally indicates the existence of the Phpben2 table  $sql = "SELECT * from Phpben1 where ' user_name ' = ' benwin ' and (select COUNT (*) from Phpben2) &G t;0# ' ";  Guess the table field, running normally indicates that there are fields colum1  $sql = "SELECT * from Phpben1 where ' user_name ' = ' benwin ' and (select COUNT (COLUM1) phpben2 From Phpben2) >0# ' ";  Guess the field value  $sql = "SELECT * from Phpben1 where ' user_name ' = ' Benwin ' and Left (pwd,1) = ' P ' # '";

2. Some functions and precautions for anti-injection.

(1) addslashes and stripslashes.

Addslashes to these "'", "" "," \ "," NULL "to add the oblique bar" \ "", "\" "," \ \ "," \null ", Stripslashes is the opposite, it is important to note that the php.ini is open magic_quotes_gpc= On, open if using addslashes will repeat. So the use of the time to first GET_MAGIC_QUOTES_GPC () check

(2) mysql_escape_string () and Mysql_ real _escape_string ()

Mysql_real_escape_string must be used in cases (PHP 4 >= 4.3.0, PHP 5). Otherwise, you can only use mysql_escape_string

if (php_version >= ' 4.3 ')  {  $string  =  mysql_real_escape_string ($string);  } else  {  $string  =  mysql_escape_string ($string);  }

(3) Character substitution function and matching function
Str_replace (), perg_replace () These functions are also mentioned here because these functions can be used to filter or replace some sensitive, deadly characters.