Introduction to mysql SQL anti-injection and anti-injection instances

Source: Internet
Author: User
Tags mysql injection

The principles of SQL injection and the Measures to Prevent SQL Injection finally provide a php instance to show you how to prevent mysql injection and some common solutions in the future.

Next we will write an introduction to SQL anti-injection and anti-injection instances in the mysql tutorial based on my programming experience.

Introduction to SQL anti-injection:

SQL query is a text language used for data interaction with users. SQL uses external interfaces to send data submitted by users to the mysql database tutorial server for processing. Without strict filtering, data may be lost, such as being deleted or modified. This problem is difficult for the network administrator. They cannot be controlled by hitting the system or installing a fire prevention system ,.

Next we will look at a simple user login instance.

1. Create a user table

Create table user (

Userid (int) not null auto_increment,

Username not null default '',

Userpass not null default '',

Primary key (userid)

) Type = myisam auto_increment = 1;

The table is created successfully. Insert a record to the user table first.

Insert into 'user' values (1, 'www. bKjia. c0m', '123 ');

Login code for users now

<? Php tutorial

$ Root = 'localhost ';

$ DbName = 'root ';

$ Dbpwd = '000000 ';

$ Db = 'userdb ';

Mysql_connect ($ root, $ dbName, $ dbpwd) or die ('database connection failed ');

$ SQL = "select * from user where username = '$ username" and password =' $ pwd ';

$ Result = mysql_db_query ($ db, $ SQL );

$ Ufo = mysql_fetch_array ($ result );

If ($ ufo)

{

Echo 'login successful ';

}

Else

{

Echo 'logon failed ';

}

Now let's create an instance and provide a url to the above php processing page.

Http://www.bKjia. c0m/test/a. php? User = www. bKjia. c0m' or '1 = 1;

The result shows that this SQL statement can be successfully logged on to our system, instead of waiting for the password 12346. Let's take a look at the instance.

Http://www.bKjia. c0m/test/a. php? User = www. bKjia. c0m '/*;

Http://www.bKjia. c0m/test/a. php? User = www. bKjia. c0m' or '#;

In this way, you can log on to the system as long as the user name is correct. In the SQL statement,/* and # indicate the following SQL statements,

Okay. Based on the above problem, we have written a custom function to filter anti-injection functions for most SQL injections.

Function safesql ()

{

$ Re = "/(| '% 27 |; | (% 3d) | (% 28) | (% 29) | (/*) | (% 2f % 2a) | (% 2a % 2f) | + | (% 2b) | (<| (% 3e) | (% 3e) | (--)) | [| % 5d )/";

If (preg_match ($ re, $ username)

{

Echo 'Please do not use illegal SQL Injection ';

Exit;

}

Else

{

Return turn;

}

Summary:

The principles of SQL injection and the Measures to Prevent SQL Injection finally provide a php instance to show you how to prevent mysql injection and some common solutions in the future.

Note: The Source www. bKjia. c0m is reprinted in the original article on this site.

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.