This topic is too cliché.
In php.ini MAGIC_QUOTES_GPC = On
Can really withstand some of the injection attacks, but is this a panacea?
We are now going to post or get a variable that converts the spaces, punctuation, and special characters into HTML encoding.
He will be restored when the demo is done. How do you do it? Exchange the code.
But it's not going to work. The Union statement is not available when your SQL is not standard-written.
For example, the SELECT * from news where id= $Id, this variable $id is not surrounded by the Keng number, and does not determine whether the $id is a numeric string, it will certainly be injected, even if MAGIC_QUOTES_GPC = on is the same.
The complete method of preventing injection is to enclose the variable in the SQL statement with the Keng number, and then
MAGIC_QUOTES_GPC = ON, and then the spaces are converted, punctuation marks, and special characters are all converted to HTML encoding.
So I think it will be once and for all, do not know if there is no slip through, please advise the master, we are now developing the system to eliminate the injection, I can sleep a good night. haha.
Generally I am directly in each page with the function of _get,_post,_session and other data initially filtered
Force check data type when writing to database specifically
Basically, these are good for the general injection effect.
1 SQL statements are best formatted by sprintf, and then query
2 login detection and so on, it is best to take a value out of another value, and then compare
An example is provided:
Haha, that's one of my examples. I summed it up carefully and it was easy not to be injected.
Summarized as follows:
MAGIC_QUOTES_GPC = On this opens, then the variable is enclosed with the Keng number, the other person wants to inject words, must break the quotation mark, so he has to add the Keng number in the variable, add the Keng number will be MAGIC_QUOTES_GPC = on to escape, break the Keng number failed. You can't do bad things.
Another point is that there are two annotation tags in mysql, #和/*, through which you can annotate the following SQL names, and convert the characters to ASC or HTML code.
Then there is the injection of the mother and father is a space.
such as SELECT * FROM News where id=1 Union select * FROM admin, if I delete or convert a space.
It becomes the SELECT * from news where id=1unionselect*fromadmin, which is what happens when you steal data.
SELECT * from news where id=1; DROP TABLE News here, get rid of the blanks.
SELECT * from news where id=1; Droptablenews cannot be performed.
So the injection-type attack of the parents is a space. After the space is replaced. It's really safe to sleep.
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.
