Let's talk about how SQL injection attacks are implemented and how to prevent them.
See this example:
Copy CodeThe code is as follows:
supposed input
$name = "Ilia"; DELETE from users; ";
mysql_query ("SELECT * from users WHERE name= ' {$name} '");
It is clear that the last command executed by the database is:
SELECT * from users WHERE Name=ilia; DELETE from users
This has disastrous consequences for the database – all records have been deleted.
However, if the database you are using is MySQL, then fortunately, the mysql_query () function does not allow you to perform such operations directly (multiple statement operations cannot be done on a single line), so you can rest assured. If you are using a database that is SQLite or PostgreSQL to support such statements, then you will face extinction.
As mentioned above, SQL injection is mainly to commit unsafe data to the database to achieve the purpose of the attack. In order to prevent SQL injection attacks, PHP comes with a function to process the input string, the input can be in the lower level of security preliminary processing, also known as Magic Quotes. (PHP.ini MAGIC_QUOTES_GPC). If the MAGIC_QUOTES_GPC option is enabled, then the single quotation marks, double quotes, and some other characters in the input string will be automatically preceded by a backslash \.
But Magic quotes is not a very general solution, it does not block all potentially dangerous characters, and magic quotes is not enabled on many servers. So there are a number of other ways we need to prevent SQL injection.
Many databases themselves provide this input data processing capability. For example, PHP's MySQL operator function has a function called mysql_real_escape_string () that can escape special characters and characters that might cause errors in database operations.
Look at this code:
Copy CodeThe code is as follows:
If the Magic quotes function is enabled
if (GET_MAGIC_QUOTES_GPC ()) {
$name = Stripslashes ($name);
}else{
$name = mysql_real_escape_string ($name);
}
mysql_query ("SELECT * from users WHERE name= ' {$name} '");
Note that before we use the functionality of the database, it is important to determine if the magic quotes is turned on, as in the previous example, or else two repetitions will go wrong. If MQ is enabled, we have to add the \ minus to get the real data.
In addition to preprocessing the data in the above-mentioned string form, you should also pay attention to preprocessing when storing binary data into the database. Otherwise, the data may conflict with the storage format of the database itself, causing the database to crash, data records to be lost, and even the entire library's data to be lost. Some databases, such as PostgreSQL, provide a function pg_escape_bytea (), which is designed to encode binary data, which can encode data similar to Base64.
Such as:
Copy CodeThe code is as follows:
For Plain-text data use:
Pg_escape_string ($regular _strings);
For binary data use:
Pg_escape_bytea ($binary _data);
In another case, we have to adopt such a mechanism. That is, the database system itself does not support multi-byte languages such as Chinese, Japanese and so on. Some of them overlap the range of ASCII and binary data.
However, encoding the data will likely result in invalid query statements such as like abc%.
http://www.bkjia.com/PHPjc/324227.html www.bkjia.com true http://www.bkjia.com/PHPjc/324227.html techarticle Let's talk about how SQL injection attacks are implemented and how to prevent them. See this example: Copy code code as follows://supposed input $name = "Ilia"; DELETE from users; "; Mysql_quer ...