PHP Anti-SQL injection

1. First set the MAGIC_QUOTES_GPC to On,display_errors set to off.
2. After the project is officially launched, call mysql_query and other MySQL functions, should precede with @, that is @mysql_query (...) So that the MySQL error is not output. In the same vein, the attacker is not allowed to parse out useful information.
3. In php.ini register_globals = on to Register_globals = OFF, the advantage of this is that your PHP variables can not be directly from the get/post and other places, but by your own program to obtain
4. Security Parameters Get function:
<?php
Define ("Xh_param_int", 0);
Define ("Xh_param_txt", 1);
function Papi_getsafeparam ($pi _strname, $pi _def = "", $pi _itype = xh_param_txt)
{
if (Isset ($_get[$pi _strname]))
$t _val = Trim ($_get[$pi _strname]);
else if (isset ($_post[$pi _strname]))
$t _val = Trim ($_post[$pi _strname]);
Else
return $PI _def;
Int
if (Xh_param_int = = $pi _itype)
{
if (Is_numeric ($t _val))
return $t _val;
Else
return $PI _def;
}
String
$t _val = Str_replace ("&", "&amp;", $t _val);
$t _val = Str_replace ("<", "&lt;", $t _val);
$t _val = Str_replace (">", "&gt;", $t _val);
if (GET_MAGIC_QUOTES_GPC ())
{
$t _val = Str_replace ("\\\", "&quot;", $t _val);
$t _val = str_replace ("\ \" "," & #039; ", $t _val);
}
Else
{
$t _val = str_replace ("\" "," &quot; ", $t _val);
$t _val = Str_replace ("'", "& #039;", $t _val);
}
return $t _val;
}

In this function, there are three parameters:

$PI _strname: Variable name
$PI _def: Default value
$PI _itype: Data type.　　The value is Xh_param_int, Xh_param_txt, respectively, the numeric type and the text type. If the request is numeric, call Is_numeric () to determine whether it is a numeric value. If
No, the default value specified by the program is returned. For simplicity, for a text string, I escaped all dangerous characters (including HTML code) entered by the user. Because the PHP function addslashes () has a leak
Hole, I use Str_replace () to replace directly. The GET_MAGIC_QUOTES_GPC () function is a PHP function used to determine whether the MAGIC_QUOTES_GPC option is open.

Just the example, the code can call this:
<?php
if (Isset ($_post["F_login"))
{
Connect to Database ...
// ... Code slightly ...

Check if the user exists
$t _struid = Papi_getsafeparam ("F_uid", 0, Xh_param_int);
$t _strpwd = Papi_getsafeparam ("F_pwd", "", xh_param_txt);
$t _strsql = "SELECT * from Tbl_users WHERE uid= $t _struid and password = ' $t _strpwd ' LIMIT 0,1 ';
if ($t _hres = mysql_query ($t _strsql))
{
Processing after a successful query. Slightly...
}
}
?>


1. Precautions can be from two aspects, one is the server, two is the code itself, the introduction of the server configuration of the article a lot, nothing more than to set the MAGIC_QUOTES_GPC to On,display_errors set to OFF
2. Code Start
1) We can obtain the user name in the database through the user name to get the password, and then the password to enter the match, if the same is the correct input password, otherwise there is a problem
2) A better way is to use PDO's PDO::p Repare () preprocessing operation to prevent SQL Injection Vulnerability PDO::p Repare () is primarily a preprocessing operation that requires the SQL statements in the preprocessing through $rs->execute ().
This method can be used to bind parameters, and the function is more powerful. There are two ways to bind a parameter: by name, or by the number.
3. Search engine SQL injection problem filter% and _ to prevent all data is queried.

PHP Anti-SQL injection