Php anti-injection

Php anti-injection php website how to prevent SQL injection?

Website operation security must be considered by every Webmaster. as you know, most websites attacked by hackers use SQL injection, this is why we often say that the most primitive static website is the safest. Today we will talk about PHP injection security specifications to prevent your website from being injected with SQL statements.

Today's mainstream website development language is php. let's start with how php websites prevent SQL injection:

Through the above process, we can understand the principles and techniques of Php injection. of course, we can also work out the appropriate defense methods:
The first step is to set the server security. here, we mainly set the security of php + mysql and the security of linux hosts. To prevent injection of php + mysql, set magic_quotes_gpc to On and display_errors to Off. if the id type is set, we use intval () to convert it to an integer type, such as code:
$ Id = intval ($ id );
Mysql_query = "select * from example where articieid = '$ ID'"; or write: mysql_query ("SELECT * FROM article WHERE articleid = ". intval ($ id ). "")

If it is a replica type, use addslashes () to filter it, and then filter "%" and "_", such:
$ Search = addslashes ($ search );
$ Search = str_replace ("_", "\ _", $ search );
$ Search = str_replace ("%", "\ %", $ search );
Of course, you can also add php universal anti-injection code:
/*************************
PHP general anti-injection security code
Note:
Determines whether the passed variable contains invalid characters.
Such as $ _ POST and $ _ GET
Function:
Anti-injection
**************************/
// Invalid characters to be filtered
$ ArrFiltrate = array ("'", ";", "union ");
// The url to be redirected after an error occurs. If this parameter is left blank, the previous page is displayed by default.
$ StrGoUrl = "";
// Whether the value in the array exists
Function FunStringExist ($ StrFiltrate, $ ArrFiltrate ){
Foreach ($ ArrFiltrate as $ key => $ value ){
If (eregi ($ value, $ StrFiltrate )){
Return true;
}
}
Return false;
}
// Merge $ _ POST and $ _ GET
If (function_exists (array_merge )){
$ ArrPostAndGet = array_merge ($ HTTP_POST_VARS, $ HTTP_GET_VARS );
} Else {
Foreach ($ HTTP_POST_VARS as $ key => $ value ){
$ ArrPostAndGet [] = $ value;
}
Foreach ($ HTTP_GET_VARS as $ key => $ value ){
$ ArrPostAndGet [] = $ value;
}
}
// Verification starts
Foreach ($ ArrPostAndGet as $ key => $ value ){
If (FunStringExist ($ value, $ ArrFiltrate )){
Echo "alert (/" Neeao prompt, illegal character /");";
If (empty ($ StrGoUrl )){
Echo "history. go (-1 );";
} Else {
Echo "window. location =/" ". $ StrGoUrl ."/";";
}
Exit;
}
}
?>
/*************************
Save as checkpostandget. php
Add include ("checkpostandget. php") before each php file.
**************************/

In addition, the administrator username and password are encrypted using md5, which effectively prevents php injection.
There are also servers and mysql to enhance security.
For linux server security settings:
Use the "/usr/sbin/authconfig" tool to enable the password shadow function and encrypt the password.
Prohibit access to important files. go to the linux command interface and enter:
# Chmod 600/etc/inetd. conf // change the file attribute to 600
# Chattr + I/etc/inetd. conf // ensure that the file owner is root
# Chattr? I/etc/inetd. conf // restrict changes to this file
Prohibit any user from changing to a root user through the su command
Add the following two lines at the beginning of the su configuration file/etc/pam. d:
Auth sufficient/lib/security/pam_rootok.so debug
Auth required/lib/security/pam_whell.so group = wheel
Delete all special accounts
# Deleting users such as userdel lp
# Delete groups such as groupdel lp
Disable unused suid/sgid programs
# Find/-type f \ (-perm-04000-o? Perm-02000 \) \-execls? Lg {}\;