PHP and SQL injection attack []_php techniques

These days too busy, continue to serial haha, for half a month to end.

The database comes with unsafe input filtering capabilities, but not all databases have it. Currently, only Mysql,sqlite,postgresql,sybase has such a feature, and many databases, including Oracle and SQL Server, are not.

Given this situation, the general developer uses a common approach to avoid unsafe data written to the database--base64 encoding. This avoids the risk of any special characters that may cause problems. But BASE64 encoded data capacity will probably increase by 33%, compared to occupy space. In PostgreSQL, there is a problem with using BASE64 encoded data, that is, you cannot use a ' like ' query.

So summing up so much, we know that relying on the database itself is not a string screen. We need a solution that filters out dangerous characters before the special characters affect our query statement. A predefined query (Prepared queries/prepared statements) is a great way to do this.　What is a predefined query? It is equivalent to a template for a query statement that defines the structure of the query statement and the data types of some parts. If we submit a SQL statement that conforms to the definition of this template, execute it, or we will not execute it and report an error.

For example:

Pg_query ($conn, "PREPARE stmt_name (text) as SELECT * from users WHERE name=$1");
Pg_query ($conn, "EXECUTE stmt_name ({$name})");
Pg_query ($conn, "deallocate stmt_name");

PREPARE stmt_name (text) as.. Defines the format of a query where all characters except $ are placeholders and do not allow changes. Oh, I think this method is really a good way. But unfortunately not all databases are supported.