Learn about SQL injection in PHP by introducing some methods

What is injection?

For example, when we query the database, we use the ID number of the article to retrieve all the information of this article. Then the SQL statement can be written like this:

The code is as follows	Copy Code
SELECT * FROM blog where id=5

The value of the ID is passed through the user's action, typically the get method, shaped like read.php?id=5. This looks like there's no problem, but if we change the SQL statement a little bit:

The code is as follows	Copy Code
SELECT * from blog where id=5 or 1=1

1=1 this is identical, then this statement will take out all the articles. To modify this, you only need to change the pass value of Get: read.php?id= ' 5 or 1=1 '; note the two single quotes ... So the easiest thing to do is to see if the link has an injection by simply changing the argument to single quotes. Of course, it doesn't matter if the illegal user sees all the articles, but what if the table is saved with an account number and a password?

2. How to prevent injection?

In the final analysis, the prevention of injection is the root of the character filtering, because illegal users are generally constructed by the URL to pass the value, if we filter the illegal parameters he passed in, this illegal SQL statement will not be executed, then we also prevent the site is injected!

PHP built-in filter string is pretty good, first look at the specific code:

The code is as follows	Copy Code
function Safe ($s) { if (!GET_MAGIC_QUOTES_GPC ()) { if (Is_array ($s)) foreach ($s as $key => $value) $s [$key] = addslashes ($value); Else $s =addslashes ($s); } return $s; } function Html_safe ($s) { Return NL2BR (Htmlspecialchars (Safe ($s)); }

If you don't know a few of the built-in functions used above, and lazy to look up the manual, then I would like to say these several functions:

MAGIC_QUOTES_GPC This is called magic quotes, if this feature is turned on, then when inserting data into the database, the Magic quote does automatically use the Addslashes () function for all get, POST, and COOKIE data. GET_MAGIC_QUOTES_GPC () is used to obtain whether this function on the server is enabled: If it is turned on, return the data directly; if not, then manually addslashes () the parameters. This will prevent double escape ~

Addslashes--use backslashes to refer to strings. Caption: String addslashes (String str); Returns a string that is preceded by a backslash for some characters, such as database query statements. These characters are single quotes ('), double quotes ("), backslashes () and NUL (NULL characters). An example of using addslashes () is when you are entering data into a database. For example, insert the name O ' Reilly into the database, which you need to escape. Most databases are used as escape characters: O ' Reilly. This allows the data to be placed in the database without inserting additional. When the PHP instruction Magic_quotes_sybase is set to ON, it means that the insert ' will be used ' for escape.

The following htmlspecialchars is the conversion of characters in HTML, such as ' & ' to ' &amp ', and ' < ' to ' &lt '. NL2BR this is to convert the carriage return line to <br/>, which is used more when the user enters the information such as comments.

By using several of the above functions, we can already filter some simple injections. In addition, a few small aspects:

For the first example, there are actually a lot of improvements, such as this one should look more normative:

The code is as follows	Copy Code
SELECT * from ' blog ' WHERE ' id ' = ' $id '

For the SQL keyword we use uppercase to indicate that we use lowercase for the tables and fields in the database, plus "•" on the field name and table name. This symbol (on the keypad on the left of the number 1), and we enclose it in single quotes on the incoming ID.

For such an incoming parameter is a numeric type, we can cast the value $_get to. But I'm more used to this:

The code is as follows	Copy Code
$id = $_get[' id ']*1; Gets the ID of the article to display the article information if ($id = = 0) { echo "ERROR ..."; Exit (); }

If a discovery is not a number, then a large likelihood is the problem of the parameters, then we give a direct error and then exit on the line, so as to save the illegal users to perform database query operations.

Finally, let's take a look at one of the jblog in the process injection:

38 Lines of includecommon.php

The code is as follows	Copy Code
if (!GET_MAGIC_QUOTES_GPC ()) { $_get = Add_slashes ($_get); $_post = Add_slashes ($_post); $_cookie = Add_slashes ($_cookie); }

194 Lines of includefunc_global.php

The code is as follows	Copy Code
Addslashes function Add_slashes ($string) { if (!is_array ($string)) return addslashes ($string); foreach ($string as $key => $val) { $string [$key] = add_slashes ($val); } return $string; }

Of course, this should be only part of the other should be similar.