The best way to prevent SQL injection is to filter and escape all data submitted to the background.
For simple cases, such as single quotation marks ('), semicolons (;), <,>, and other characters, you can use rewrite to directly subscribe to the 404 page.
There is a premise to use rewrite. Generally, rewrite is used for regular matching and can only match the URI of the webpage, that is, the url? First part ,? Later parts are request parameters.
The request parameters following the question mark are displayed in the $ query_string table in nginx. They cannot be matched in rewrite. if is required
For example, match the 'with single quotes in the parameter and then direct it to the error page,
/Plus/list. php? Tid = 19 & mid = 1124'
Rewrite ^. * ([; '<>]). */error.html break;
Directly Writing such an rewrite will certainly not match correctly, because the rewrite parameter will only match the requested uri, that is, the/plus/list. php part.
You need to use $ query_string to determine with if. if the query string contains special characters, 404 is returned.
If ($ query_string ~ * ". * [; '<>]. *") {
Return 404;
}