PHP and SQL injection attacks [2]

PHP and SQL injection attacks [2]

Magic quotes

As mentioned above, SQL Injection mainly submits insecure data to the database for attack purposes. To prevent SQL Injection
PHP provides a function to process input strings and perform input security at a lower level.
The preliminary processing on, that is, magic quotes. (PHP. ini magic_quotes_gpc ). If magic_quotes_gpc
If this option is enabled, the single quotation marks, double quotation marks, and other characters in the input string are automatically added with the backslash \.

However, magic quotes is not a common solution, and it fails to block all potentially dangerous characters.
Magic quotes is not enabled on multiple servers. Therefore, we also need to use other methods to prevent SQL injection.
.

Many databases provide such input data processing functions. For example, a MySQL operation function in PHP contains a function named mysql_real_escape_string (), which can escape special characters and characters that may cause database operation errors.

Refer:
Http://cn2.php.net/mysql_real_escape_string
If you are interested, please refer to the following comments :)

Read this sectionCode:

// If magic quotes is enabled
If (get_magic_quotes_gpc ()){
$ Name = stripslashes ($ name );
} Else {
$ Name = mysql_real_escape_string ($ name );
}

Mysql_query ("select * from users where name = '{$ name }'");

Note: before using the functions provided by the database, you need to determine whether magic quotes is enabled, as shown in the preceding example.
Otherwise, an error will occur when two attempts are repeated. If MQ is enabled, we need to remove the added \ to obtain the truth.
Data.

In addition to preprocessing the preceding string data, note
Pre-processing. Otherwise, the data may conflict with the storage format of the database, causing database crash and Data
The record is lost or even the data of the entire database is lost. Some databases, such as PostgreSQL, provide a dedicated code
Binary data function pg_escape_bytea (), which can encode data similar to base64.

For example:
// For plain-text data use:
Pg_escape_string ($ regular_strings );

// For binary data use:
Pg_escape_bytea ($ binary_data );

In another case, we also need to adopt this mechanism. That is, the multi-byte language not supported by the database system itself.
Such as Chinese and Japanese. Some ASCII ranges overlap with those of binary data.
However, encoding data may result in invalid query statements such as like ABC %.