How to Prevent php SQL injection attacks

How to Prevent php SQL injection attacks? In my opinion, the most important thing is to check and escape data types. The following rules are summarized:

1. The display_errors option in PHP. ini should be set to display_errors = off. In this way, PHP scripts do not output errors on web pages, so that attackers can analyze the information.
2. When calling MySQL functions such as mysql_query, add @, that is, @ mysql_query (...), so that MySQL errors will not be output.. Similarly, attackers may not analyze useful information. In addition, some programmers are used to output errors and SQL statements when mysql_query errors during development, such:

   $ T_strsql = "select a from B..."; if (mysql_query ($ t_strsql) {// correct processing} else {echo "error! SQL statement: $ t_strsql \ r \ n error message ". mysql_query (); exit ;}

   This approach is quite dangerous and stupid. To do this, you 'd better set a global variable or define a macro in the website configuration file and set the debug flag:

   In the global configuration file: Define ("debug_mode", 0); // 1: debug mode; 0: Release mode // In the call script: $ t_strsql = "select a from B .... "; if (mysql_query ($ t_strsql) {// correct processing} else {If (debug_mode) echo" error! SQL statement: $ t_strsql \ r \ n error message ". mysql_query (); exit ;}

3. Run the convert and type checks on the submitted SQL statements..

4. I wrote a security parameter to obtain the function.

To prevent incorrect data and PHP + MySQL injection, I wrote a function papi_getsafeparam () to obtain the safe parameter values:

define("XH_PARAM_INT",0);define("XH_PARAM_TXT",1);function PAPI_GetSafeParam($pi_strName, $pi_Def = "", $pi_iType = XH_PARAM_TXT){  if ( isset($_GET[$pi_strName]) )     $t_Val = trim($_GET[$pi_strName]);  else if ( isset($_POST[$pi_strName]))    $t_Val = trim($_POST[$pi_strName]);  else     return $pi_Def;  // INT  if ( XH_PARAM_INT == $pi_iType)  {    if (is_numeric($t_Val))      return $t_Val;    else      return $pi_Def;  }    // String  $t_Val = str_replace("&", "&amp;",$t_Val);   $t_Val = str_replace("<", "&lt;",$t_Val);  $t_Val = str_replace(">", "&gt;",$t_Val);  if ( get_magic_quotes_gpc() )  {    $t_Val = str_replace("\\\"", "&quot;",$t_Val);    $t_Val = str_replace("\\''", "&#039;",$t_Val);  }  else  {    $t_Val = str_replace("\"", "&quot;",$t_Val);    $t_Val = str_replace("'", "&#039;",$t_Val);  }  return $t_Val;}

In this function, there are three parameters:

$ Pi_strname: variable name $ pi_def: default value $ pi_itype: data type. The optional values are xh_param_int and xh_param_txt, which indicate the numeric type and the text type respectively.

If the request is numeric, call is_numeric () to determine whether the request is Numeric. If not, return the default value specified by the program.

For simplicity, for text strings, I escape all the dangerous characters (including HTML code) entered by the user. Due to the vulnerability in PHP function addslashes (), I replaced it directly with str_replace. The get_magic_quotes_gpc () function is a PHP function used to determine whether the magic_quotes_gpc option is enabled.

 

The sample code in Section 2 can be called as follows:

<? If (isset ($ _ post ["f_login"]) {// connect to the database... //... code omitted... // check whether the user has $ t_struid = papi_getsafeparam ("f_uid", 0, xh_param_int); $ t_strpwd = papi_getsafeparam ("f_pwd", "", xh_param_txt ); $ t_strsql = "select * From tbl_users where uid = $ t_struid and Password = '$ t_strpwd 'limit 0, 1"; if ($ t_hres = mysql_query ($ t_strsql )) {// processing after successful query. ...}?>

In this way, it is quite safe. Papi_getsafeparam code is a little long, but at the cost of efficiency, it is worthwhile to ensure security. I hope you will give more criticism. :)