Learn more about SQL injection methods in PHP _php tutorial

Source: Internet
Author: User
Tags sql injection methods
I understand the SQL injection in PHP some of the methods introduced, the following is the most common SQL injection method, the need for a friend to refer to.

What is injection?

For example, when we query the database, we use the article ID number to take out all the information of this article. Then the SQL statement can be written like this:

The code is as follows Copy Code

SELECT * FROM blog where id=5

The value of the ID is passed by the user's action, usually the Get method, like read.php?id=5. This looks like there is no problem, but if we change the SQL statement slightly:

The code is as follows Copy Code

SELECT * from blog where id=5 or 1=1

1=1 this is identical, then this statement will take out all the articles. To modify this, you only need to change the Get value: Read.php?id= ' 5 or 1=1 '; Note these two single quotes ... So the simplest thing is that we can see if the link is injected by simply changing the parameter to single quotation marks. Of course, it doesn't matter if the illegal user sees all the articles, but what if the table is saved with the account number and password?

2. How to prevent injection?

In the final analysis, the root of the prevention of injection is the filtering of characters, because illegal users are generally through the construction of URLs to pass values, if we filter the illegal parameters he passed in, this illegal SQL statement will not be executed, then we will prevent the site is injected!

PHP Built-in filter string is still quite good, first look at the specific code:

The code is as follows Copy Code

function Safe ($s)




if (Is_array ($s))

foreach ($s as $key = $value)

$s [$key] = addslashes ($value);


$s =addslashes ($s);


return $s;


function Html_safe ($s)


Return NL2BR (Htmlspecialchars (Safe ($s)));


If you don't know how many built-in functions you've used, and you're lazy enough to look up the manual, I'll just say the following functions:

MAGIC_QUOTES_GPC This is called magic quotes, if this function is turned on, then when inserting data into the database, the magic quotes are automatically applied to all GET, POST, and COOKIE data using the Addslashes () function. GET_MAGIC_QUOTES_GPC () is used to obtain whether this feature on the server is turned on: if it is on, the data is returned directly, and if it is not, the parameter is addslashes () escaped manually. This will prevent double escaping ~

Addslashes--use a backslash to reference the string. Description: String addslashes (String str); Returns a string that is preceded by a backslash in order to be preceded by some characters, such as a database query statement. These characters are single quotes ('), double quotation marks ("), backslashes (), and NUL (the NULL character). An example of using addslashes () is when you want to enter data into the database. For example, the name O ' Reilly is inserted into the database, which needs to be escaped. Most databases are used as escape characters: O ' Reilly. This allows the data to be placed in the database without inserting additional. When PHP instruction Magic_quotes_sybase is set to ON, it means that the insert ' will be used ' to escape.

The next htmlspecialchars is to convert the characters in the HTML, such as ' & ' to ' & ', and ' < ' to ' < '. NL2BR this is to convert the carriage return to
, which is used more often when users enter information such as comments.

By the above several functions, we have been able to filter some simple injections. Also say a few small aspects:

For the first example, there are actually a lot of improvements, such as being written so that it should look more normative:

The code is as follows Copy Code

SELECT * from ' blog ' WHERE ' id ' = ' $id '

We use uppercase for the SQL keyword, we use lowercase for tables and fields in the database, plus "•" on the field and table names This symbol (the key on the left of the number 1 on the keyboard), and we enclose it in single quotation marks on the incoming ID.

For such a pass-in parameter is a numeric type, we can cast the value $_get to. But I am more accustomed to this:

The code is as follows Copy Code

$id = $_get[' id ']*1; Gets the ID of the article used to display the article information

if ($id = = 0) {

echo "ERROR ...";

Exit ();


If a discovery is not a number, then a large probability is a problem parameter, then we give the error prompt and then exit the line, so as to save the illegal user to perform database query operations.

Finally, let's take a look at one of the processing injections in Jblog:

38 Lines of includecommon.php

The code is as follows Copy Code


$_get = Add_slashes ($_get);

$_post = Add_slashes ($_post);

$_cookie = Add_slashes ($_cookie);


194 Lines of includefunc_global.php

The code is as follows Copy Code


function Add_slashes ($string) {

if (!is_array ($string)) return addslashes ($string);

foreach ($string as $key = = $val) {

$string [$key] = add_slashes ($val);


return $string;


Of course, this should only be part of the same, the other should be similar.

http://www.bkjia.com/PHPjc/629655.html www.bkjia.com true http://www.bkjia.com/PHPjc/629655.html techarticle I understand the SQL injection in PHP some of the methods introduced, the following is the most common SQL injection method, the need for a friend to refer to. What is injection? For example, we are querying data ...

  • Contact Us

    The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

    If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

    A Free Trial That Lets You Build Big!

    Start building with 50+ products and up to 12 months usage for Elastic Compute Service

    • Sales Support

      1 on 1 presale consultation

    • After-Sales Support

      24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.