How to prevent SQL injection during PHP logon

Source: Internet
Author: User
Tags how to prevent sql injection
Analysis on how to prevent SQL injection during PHP login. Generally, the general programmers or novice programmers who have problems preventing SQL injection do not filter the data submitted by users, generally, the general programmers or novice programmers who have problems preventing SQL injection do not filter the data submitted by users, as a result, your database was cracked at the moment of the test. next we will briefly introduce an SQL injection method that may occur when you log on without security configuration, let's take a look.

For example, the following logon code:

If ($ l = @ mysql_connect ('localhost', 'root', '000000') or die ('database connection failed'); mysql_select_db ('test '); mysql_set_charset ('utf8'); $ SQL = 'select * from test where username = "$ username" and password = "$ password" '; $ res = mysql_query ($ SQL ); if (mysql_num_rows ($ res) {header ('Location :. /home. php ');} else {die ('incorrect input ');}

Note that the preceding SQL statement has a great security risk. if you use the following universal password and universal user name, you can easily access the page:

$sql = 'select * from test where username = "***" and password = "***" or 1 = "1"';

Obviously, the universal password for this SQL statement is: *** "or 1 =" 1

$sql = 'select * from test where username ="***" union select * from users/* and password = "***"';

The forward slash * indicates that the subsequent query is not executed. mysql supports union joint query, so all data is directly queried. Therefore, the universal user name for this SQL statement is: * ** "union select * from users /*

However, this injection only applies to SQL statements in the code. if

$sql = "select * from test where username = $username and password = $password";

The above injection should at least be useless, but the method is the same;
After using PDO, SQL injection can be completely avoided. in this era of rapid development, the framework is rampant and you do not need to worry too much about SQL injection.
Below are two functions to prevent SQL registration

/* Filter all GET variables */foreach ($ _ GET as $ get_key => $ get_var) {if (is_numeric ($ get_var )) {$ get [strtolower ($ get_key)] = get_int ($ get_var);} else {$ get [strtolower ($ get_key)] = get_str ($ get_var );}} /* filter all POST variables */foreach ($ _ POST as $ post_key => $ post_var) {if (is_numeric ($ post_var )) {$ post [strtolower ($ post_key)] = get_int ($ post_var);} else {$ post [strtolower ($ post_key)] = get_str ($ post_var );}} /* filter function * // integer filter function Number function get_int ($ number) {return intval ($ number);} // string type filter function get_str ($ string) {if (! Get_magic_quotes_gpc () {return addslashes ($ string);} return $ string ;}

In addition, some blogs will write like this.

<? Php function post_check ($ post) {if (! Get_magic_quotes_gpc () // determines whether magic_quotes_gpc is enabled {$ post = addslashes ($ post ); // filter submitted data when magic_quotes_gpc is not enabled} $ post = str_replace ("_", "\ _", $ post ); // filter '_' out $ post = str_replace ("%", "\ %", $ post ); // filter '%' out $ post = nl2br ($ post); // press enter to convert $ post = htmlspecialchars ($ post ); // Convert the html tag to return $ post;}?>

Success ,...

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.