Php anti-SQL injection method explanation (1/4) _ PHP Tutorial

Php anti-SQL injection method (14 ).. Magic_quotes_gpcoff injection attack magic_quotes_gpcoff is a very insecure option in the php Tutorial. The new php version has changed the default value to on. But there are still injection attacks when magic_quotes_gpc = off.
Magic_quotes_gpc = off is a very insecure option in the php Tutorial. The new php version has changed the default value to on. However, there are still a considerable number of server options that are off. After all, some old servers are also used.
When magic_quotes_gpc = on, it automatically adds all '(single quotes), "(double sign), (backslash), and white space characters in the submitted variables to the front. The official instructions for php are as follows:

The code is as follows:

Magic_quotes_gpc boolean
Sets the magic_quotes state for gpc (get/post/cookie) operations. when magic_quotes are on, all' (single-quote), "(double quote), (backslash) and nul's are escaped with a backslash automatically

If there is no escape, that is, off, attackers can take advantage of it. The following test script is used as an example:
The code is as follows:

If (isset ($ _ post ["f_login"])
{
// Database connection tutorial...
//... Code omitted...

// Check whether the user exists
$ T_struname = $ _ post ["f_uname"];
$ T_strpwd = $ _ post ["f_pwd"];
$ T_strsql = "select * from tbl_users where username = '$ t_struname' and password = '$ t_strpwd' limit ";

If ($ t_hres = mysql tutorial _ query ($ t_strsql ))
{
// Processing after successful query...
}
}
?>
Sample test

In this script, when the user enters the normal user name and password, assuming the values are zhang3 and abc123, the SQL statement submitted is as follows:
The code is as follows:

Select * from tbl_users
Where username = 'hangzhou3' and password = 'abc123' limit

If the attacker enters zhang3 'or 1 = 1 # in the username field and abc123 in the password field, the SQL statement submitted is changed to the following:
The code is as follows:

Select * from tbl_users
Where username = 'hangzhou' or 1 = 1 # 'and password = 'abc123' limit

Because # is a comment character in mysql, # the subsequent statement is not executed, and the above statement is implemented:
The code is as follows:

Select * from tbl_users
Where username = 'hangzhou3' or 1 = 1

In this way, attackers can bypass authentication. If attackers know the database structure, it is more dangerous to construct a union select statement:
Assume that in username, enter: zhang3 'or 1 = 1 union select cola, colb, cold from tbl_ B #
Enter abc123 in password,
The submitted SQL statement is changed:
The code is as follows:

Select * from tbl_users
Where username = 'hangzhou3'
Or 1 = 1 union select cola, colb, cold from tbl_ B # 'and password = 'abc123' limit 0, 1

1 2 3 4

Injection attack magic_quotes_gpc = off when http://www.bkjia.com/PHPjc/629721.htmlwww.bkjia.comtruehttp://www.bkjia.com/PHPjc/629721.htmlTechArticle. magic_quotes_gpc = off is a very insecure option in the php Tutorial. The new php version has changed the default value to on. But there are still phases...