How to prevent SQL injection in PHP-PHP Tutorial

Source: Internet
Author: User
Tags how to prevent sql injection
Describes how PHP defends against SQL injection. When it comes to website security, you have to mention SQLInjection. if you have used ASP, you must have a deep understanding of SQL injection. PHP is relatively secure, this is an excellent

Speaking of website security, you have to mention SQL Injection. if you have used ASP, you must have a deep understanding of SQL Injection. PHP is relatively secure, this is because versions earlier than MySQL 4 do not support substatements, and when php. when magic_quotes_gpc in ini is On.

All the '(single quotes), "(double quotation marks), (backslash) and null characters in the submitted variables are automatically converted into escape characters containing the backslash, which brings a lot of trouble to SQL injection.

Please see clearly: "troublesome ~ This does not mean that PHP prevents SQL injection. The book describes how to use the encoding of injection statements to bypass escape. for example, convert an SQL statement into ASCII code (for example, char (92,108,111, 108,104,111,115,116 ...) This format), or convert it to hexadecimal encoding, or even other forms of encoding. as a result, escape filtering has been bypassed. how can we prevent it:

A. Open magic_quotes_gpc or use the addslashes () function.

In the new version of PHP, even if magic_quotes_gpc is enabled and the addslashes () function is used, there will be no conflict, but in order to achieve better version compatibility, we recommend that you check the magic_quotes_gpc status before using the transfer function, or directly turn it off. The code is as follows:

PHP code for preventing SQL injection

 
 
  1. // Remove escape characters
  2. Function stripslashes_array ($ array ){
  3. If (is_array ($ array )){
  4. Foreach ($ array as $ k => $ v ){
  5. $ Array [$ k] = stripslashes_array ($ v );
  6. }
  7. } Else if (is_string ($ array )){
  8. $ Array = stripslashes ($ array );
  9. }
  10. Return $ array;
  11. }
  12. @ Set_magic_quotes_runtime (0 );
  13. // Determine the magic_quotes_gpc status
  14. If (@ get_magic_quotes_gpc ()){
  15. $ _ GET = stripslashes_array ($ _ GET );
  16. $ _ POST = stripslashes_array ($ _ POST );
  17. $ _ COOKIE = stripslashes_array ($ _ COOKIE );
  18. }

Use the addslashes function after escaping magic_quotes_gpc. the code is as follows:

PHP code for preventing SQL injection

$ Keywords = addslashes ($ keywords );
$ Keywords = str_replace ("_", "_", $ keywords); // Escape "_"
$ Keywords = str_replace ("%", "%", $ keywords); // Escape "%"

The next two str_replace replace escape characters are used to prevent hackers from converting the SQL code for attacks.

B. forced character format (type)

In many cases, we need to use something similar to xxx. php? In general, $ id is an integer variable for URLs like id = xxx. to prevent attackers from tampering $ id into an attack statement, we need to force variables as much as possible. The code is as follows:

PHP code for preventing SQL injection

$ Id = intval ($ _ GET ['id']);

Of course, there are other variable types. if necessary, try to force the format.

C. enclose variables in quotation marks in SQL statements.

This is simple, but it is easy to get used to it. let's take a look at these two SQL statements:

SQL code

SELECT * FROM article WHERE articleid = '$ ID'
SELECT * FROM article WHERE articleid = $ id

The two writing methods are common in various programs, but the security is different. The first sentence is to put the variable $ id in a pair of single quotes, so that all the variables we submit become strings, even if a correct SQL statement is included, the statement will not be executed normally, but the second sentence is different. because the variable is not put into single quotes, everything we submit, as long as it contains spaces, the variables after spaces are executed as SQL statements. Therefore, we need to develop the habit of adding quotation marks to the variables in SQL statements.

D. pseudo-static URL

URL pseudo-static, that is, URL rewriting technology, such as Discuz! In the same way, all URLs are rewriteinto the xxx-xxx-x.html format, which is beneficial to SEO and achieves certain security. it is also a good way. However, to prevent SQL injection in PHP, you must have a regular expression.


When talking about website security, you have to mention SQL Injection. if you have used ASP, you must have a deep understanding of SQL Injection. PHP is relatively secure, this is...

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.