Introduction to the principle of PHP preventing SQL injection

Of course, addslashes is also not useless, it is used for single-byte string processing, multibyte characters or use mysql_real_escape_string bar.

Open MAGIC_QUOTES_GPC to prevent SQL injection

There is a setting in php.ini: MAGIC_QUOTES_GPC = Off
This default is turned off, and if it is turned on, it will automatically convert the user to the SQL query.
For example, the ' change ' and so on to prevent SQL injection has a significant role.

If Magic_quotes_gpc=off, the addslashes () function is used

Also for examples of GET_MAGIC_QUOTES_GPC in the PHP manual:

The code is as follows	Copy Code
if (!GET_MAGIC_QUOTES_GPC ()) { $lastname = addslashes ($_post[' LastName ')); } else { $lastname = $_post[' LastName ']; }

It is better to check the $_post[' LastName ' If the MAGIC_QUOTES_GPC is already open.

Again, the difference between the 2 functions of mysql_real_escape_string and mysql_escape_string:

Mysql_real_escape_string must be available in the case of (PHP 4 >= 4.3.0, PHP 5). Otherwise, only mysql_escape_string can be used, and the difference is that mysql_real_escape_string takes into account the current character set of the connection, and Mysql_escape_string does not consider it.

(1) mysql_real_escape_string--a special character in the string used in an escape SQL statement, taking into account the current character set of the connection

Use the following methods:

The code is as follows	Copy Code
$sql = "SELECT count (*) as Ctr from users where username02.= '". Mysql_real_escape_string ($username). "' and 03.password= '. Mysql_real_escape_string ($PW). "' Limit 1";

Self-setting function

The code is as follows

Copy Code

function Inject_check ($sql _str) { Return eregi (' select|insert|and|or|update|delete| ' | /*|*|.. /|. /|union|into|load_file|outfile ', $sql _str); } function verify_id ($id =null) { if (! $id) { Exit (' No submission Parameters! '); } elseif (Inject_check ($id)) { Exit (' Submit parameter illegal! '); } elseif (!is_numeric ($id)) { Exit (' Submit parameter illegal! '); } $id = Intval ($id); return $id; } function Str_check ($STR) { if (!GET_MAGIC_QUOTES_GPC ()) { $str = Addslashes ($STR); To filter } $str = Str_replace ("_", "_", $str); $str = str_replace ("%", "%", $str); return $str; } function Post_check ($post) { if (!GET_MAGIC_QUOTES_GPC ()) { $post = Addslashes ($post); } $post = Str_replace ("_", "_", $post); $post = str_replace ("%", "%", $post); $post = NL2BR ($post); $post = Htmlspecialchars ($post); return $post; }

To sum up:

* Addslashes () is forcibly added;

The

* mysql_real_escape_string () determines the character set, but requires a PHP version; The
* Mysql_escape_string does not consider the current character set of the connection.
The prevention of SQL injection in DZ is to use the Addslashes function, while in dthmlspecialchars this function there are some substitutions $string = Preg_replace (/& A-FA-F0-9]{4});)/, &1, this substitution solves the problem of injection, but also solves some problems of garbled Chinese.