PHP and SQL injection attacks [3]. These days are too busy to continue the serialization. haha, we will try to end in half a month. As mentioned above, the insecure input filtering function provided by the database is not available in all databases. I am too busy these days. I will continue to attach the service and try to end in half a month.
As mentioned above, the insecure input filtering function provided by the database is not available in all databases. Currently, only MySQL, SQLite, PostgreSQL, and Sybase are available, but many databases, including Oracle and SQL Server, do not.
In view of this situation, developers generally adopt a general method to avoid insecure data written into the database-base64 encoding. In this way, all the special characters that may cause problems can be avoided. However, after Base64 encoding, the data capacity will increase by about 33%, which is space-consuming. In PostgreSQL, there is another problem with Base64 encoding data, that is, you cannot use 'like' to query data.
So to sum it up, we know that it is not feasible to shield strings by the database itself. We need a solution to filter out dangerous characters before special characters affect our Query statements. Prepared queries/prepared statements is a good method. What is a pre-defined query? It is equivalent to a query statement template, which defines the structure of the query statement and some data types. If the SQL statement we submit conforms to the template definition, it will be executed. Otherwise, it will not be executed and an error will be reported.
For example:
Pg_query ($ conn, "PREPARE stmt_name (text) as select * FROM users WHERE name = $1 ");
Pg_query ($ conn, "EXECUTE stmt_name ({$ name })");
Pg_query ($ conn, "DEALLOCATE stmt_name ");
PREPARE stmt_name (text) AS .. defines the format of a query. all characters except $1 are placeholders and cannot be changed. I think this method is really a good method. Unfortunately, not all databases are supported ..
Bytes. As mentioned above, the insecure input filtering function provided by the database is not available in all databases. Currently large...