Introduction to mysql SQL anti-injection and anti-injection instances

The principles of SQL injection and the Measures to Prevent SQL Injection finally provide a php instance to show you how to prevent mysql injection and some common solutions in the future.

Next we will write an introduction to SQL anti-injection and anti-injection instances in the mysql tutorial based on my programming experience.

Introduction to SQL anti-injection:

SQL query is a text language used for data interaction with users. SQL uses external interfaces to send data submitted by users to the mysql database tutorial server for processing. Without strict filtering, data may be lost, such as being deleted or modified. This problem is difficult for the network administrator. They cannot be controlled by hitting the system or installing a fire prevention system ,.

Next we will look at a simple user login instance.

1. Create a user table

Create table user (

Userid (int) not null auto_increment,

Username not null default '',

Userpass not null default '',

Primary key (userid)

) Type = myisam auto_increment = 1;

The table is created successfully. Insert a record to the user table first.

Insert into 'user' values (1, 'www. bKjia. c0m', '123 ');

Login code for users now

<? Php tutorial

$ Root = 'localhost ';

$ DbName = 'root ';

$ Dbpwd = '000000 ';

$ Db = 'userdb ';

Mysql_connect ($ root, $ dbName, $ dbpwd) or die ('database connection failed ');

$ SQL = "select * from user where username = '$ username" and password =' $ pwd ';

$ Result = mysql_db_query ($ db, $ SQL );

$ Ufo = mysql_fetch_array ($ result );

If ($ ufo)

{

Echo 'login successful ';

}

Else

{

Echo 'logon failed ';

}

Now let's create an instance and provide a url to the above php processing page.

Http://www.bKjia. c0m/test/a. php? User = www. bKjia. c0m' or '1 = 1;

The result shows that this SQL statement can be successfully logged on to our system, instead of waiting for the password 12346. Let's take a look at the instance.

Http://www.bKjia. c0m/test/a. php? User = www. bKjia. c0m '/*;

Http://www.bKjia. c0m/test/a. php? User = www. bKjia. c0m' or '#;

In this way, you can log on to the system as long as the user name is correct. In the SQL statement,/* and # indicate the following SQL statements,

Okay. Based on the above problem, we have written a custom function to filter anti-injection functions for most SQL injections.

Function safesql ()

{

$ Re = "/(| '% 27 |; | (% 3d) | (% 28) | (% 29) | (/*) | (% 2f % 2a) | (% 2a % 2f) | + | (% 2b) | (<| (% 3e) | (% 3e) | (--)) | [| % 5d )/";

If (preg_match ($ re, $ username)

{

Echo 'Please do not use illegal SQL Injection ';

Exit;

}

Else

{

Return turn;

}

Summary:

The principles of SQL injection and the Measures to Prevent SQL Injection finally provide a php instance to show you how to prevent mysql injection and some common solutions in the future.

Note: The Source www. bKjia. c0m is reprinted in the original article on this site.