PHP and SQL injection attacks [II]
Magic Quotes
As mentioned above, SQL injection is primarily about committing unsafe data to the database for attack purposes. To prevent SQL note
Into the attack, PHP comes with a function to process the input string, you can secure the input at the lower level
On the initial treatment, also known as Magic Quotes. (PHP.ini MAGIC_QUOTES_GPC). If MAGIC_QUOTES_GPC
option is enabled, the single quotation marks, double quotes, and some other characters in the input string are automatically preceded by a backslash \.
But Magic quotes is not a very general solution, it does not block all potentially dangerous characters and
The magic quotes on multiple servers is not enabled. So there are a number of other ways to prevent SQL note
Into.
Many databases themselves provide this input data processing capability. For example, PHP's MySQL operator function has a function called mysql_real_escape_string () that can escape special characters and characters that might cause errors in database operations.
Reference:
Http://cn2.php.net/mysql_real_escape_string
Interested can take a look at the following comments:)
Look at this code:
If the Magic quotes function is enabled
if (GET_MAGIC_QUOTES_GPC ()) {
$name = Stripslashes ($name);
}else{
$name = mysql_real_escape_string ($name);
}
mysql_query ("SELECT * from users WHERE name= ' {$name} '");
Note that before we use the functionality of the database, we need to determine if the magic quotes is open, as in the example above
, otherwise two repetitions will go wrong. If MQ is enabled, we have to add the \ Remove to get the real
Data.
In addition to preprocessing the data in the string form above, when storing binary data into the database, it is also necessary to note
Pretreatment. Otherwise, the data may conflict with the storage format of the database itself, causing the database to crash, the data
Records are lost and even the entire library's data is lost. Some databases, such as PostgreSQL, provide a special code for
The binary data Function Pg_escape_bytea (), which can encode data similar to Base64.
Such as:
For Plain-text data use:
Pg_escape_string ($regular _strings);
For binary data use:
Pg_escape_bytea ($binary _data);
In another case, we have to adopt such a mechanism. That's the multi-byte language that the database system itself does not support.
such as Chinese, Japanese and so on. Some of them overlap the range of ASCII and binary data.
However, encoding the data will likely result in invalid query statements such as like abc%.
http://www.bkjia.com/PHPjc/318373.html www.bkjia.com true http://www.bkjia.com/PHPjc/318373.html techarticle PHP and SQL injection attacks [II] magicquotes mentioned above, SQL injection is mainly to submit unsafe data to the database to achieve the purpose of the attack. To prevent SQL injection attacks, PHP comes with a feature ...