PHP anti-injection?

This post was last edited by u010572351 on 2013-06-27 21:10:49

At the moment I know that SQL attacks are filled with a lot of '% ' such special characters to implement, if I am the login interface want to prevent SQL attacks,

I know that the user name and password do not appear special characters, I use regular match, as long as there is a special character I will directly kill it, so deal with it?

Also, what do addslashes generally do? Trouble master more share under anti-injection these, little white know too little.

The main is the following is not very clear:
Magic_quotes_gpc=off
Magic_quotes_gpc=on
Addslashes ()
Stripslashes ()
Str_replace ();

If not landing, search and other entry page, usually PHP page normal DQL statement should not consider the injection problem it.

Reply to discussion (solution)

For each PHP version of the usage if (GET_MAGIC_QUOTES_GPC ()) {    $lastname = stripslashes ($_post[' LastName '));} else {    $lastname = $_post[' LastName ');} If using Mysql$lastname = Mysql_real_escape_string ($lastname); Echo $lastname; O\ ' Reilly$sql = "INSERT into Lastnames (lastname) VALUES (' $lastname ')";

For each PHP version of the usage if (GET_MAGIC_QUOTES_GPC ()) {    $lastname = stripslashes ($_post[' LastName '));} else {    $lastname = $_post[' LastName ');} If using Mysql$lastname = Mysql_real_escape_string ($lastname); Echo $lastname; O\ ' Reilly$sql = "INSERT into Lastnames (lastname) VALUES (' $lastname ')";

You this should be experience oh, actual development, easy to use not?

It is not easy to use, you use it to know.

It is not easy to use, you use it to know.
I would like to ask you the above two questions:

1. It seems that if MAGIC_QUOTES_GPC is turned on, SQL with special characters will join MySQL, no longer need to addslashes (), when the value is not required stripslashes (), because the system has been processed, You seem to have dealt with it, has it?

if (GET_MAGIC_QUOTES_GPC ()) {  ///If MAGIC_QUOTES_GPC is turned on, it will affect post, get, cookie request data, single/double quotes, backslashes will be preceded by a backslash, So first use stripslashes to remove the backslash to avoid double escaping    $lastname = stripslashes ($_post[' LastName ');} else {  //otherwise take the original data    $lastname = $_post[' LastName ');}

if (GET_MAGIC_QUOTES_GPC ()) {  ///If MAGIC_QUOTES_GPC is turned on, it will affect post, get, cookie request data, single/double quotes, backslashes will be preceded by a backslash, So first use stripslashes to remove the backslash to avoid double escaping    $lastname = stripslashes ($_post[' LastName ');} else {  //otherwise take the original data    $lastname = $_post[' LastName ');}

Thanks first, I now realize that there are two layers of meaning:

1. Special characters can be performed normally by MySQL, and escaped related.

2. Can be executed by MySQL, but there will be a malicious special word Foujian mysql execution injection.


Don't know right, for MySQL injection, should be using MySQL to recognize and execute some special characters, but there is a malicious execution results, right?

MAGIC_QUOTES_GPC switch
PHP 5.3 off by default
PHP 5.4 Canceled

Judging the return of GET_MAGIC_QUOTES_GPC () is an ancient thing.

As long as the SQL statement writes the specification, there is no problem. For example, do not use a string connection, but instead use a surrogate. Use quotation marks correctly. Use PDO.
It is impossible to be absolutely safe. Has a lot to do with cost.

