PHP Anti-SQL injection

Source: Internet
Author: User
Tags mysql functions numeric value

1. First set the MAGIC_QUOTES_GPC to On,display_errors set to off.
2. After the project is officially launched, call mysql_query and other MySQL functions, should precede with @, that is @mysql_query (...) So that the MySQL error is not output. In the same vein, the attacker is not allowed to parse out useful information.
3. In php.ini register_globals = on to Register_globals = OFF, the advantage of this is that your PHP variables can not be directly from the get/post and other places, but by your own program to obtain
4. Security Parameters Get function:
Define ("Xh_param_int", 0);
Define ("Xh_param_txt", 1);
function Papi_getsafeparam ($pi _strname, $pi _def = "", $pi _itype = xh_param_txt)
if (Isset ($_get[$pi _strname]))
$t _val = Trim ($_get[$pi _strname]);
else if (isset ($_post[$pi _strname]))
$t _val = Trim ($_post[$pi _strname]);
return $PI _def;
if (Xh_param_int = = $pi _itype)
if (Is_numeric ($t _val))
return $t _val;
return $PI _def;
$t _val = Str_replace ("&", "&amp;", $t _val);
$t _val = Str_replace ("<", "&lt;", $t _val);
$t _val = Str_replace (">", "&gt;", $t _val);
$t _val = Str_replace ("\\\", "&quot;", $t _val);
$t _val = str_replace ("\ \" "," & #039; ", $t _val);
$t _val = str_replace ("\" "," &quot; ", $t _val);
$t _val = Str_replace ("'", "& #039;", $t _val);
return $t _val;

In this function, there are three parameters:

$PI _strname: Variable name
$PI _def: Default value
$PI _itype: Data type.  The value is Xh_param_int, Xh_param_txt, respectively, the numeric type and the text type. If the request is numeric, call Is_numeric () to determine whether it is a numeric value. If
No, the default value specified by the program is returned. For simplicity, for a text string, I escaped all dangerous characters (including HTML code) entered by the user. Because the PHP function addslashes () has a leak
Hole, I use Str_replace () to replace directly. The GET_MAGIC_QUOTES_GPC () function is a PHP function used to determine whether the MAGIC_QUOTES_GPC option is open.

Just the example, the code can call this:
if (Isset ($_post["F_login"))
Connect to Database ...
// ... Code slightly ...

Check if the user exists
$t _struid = Papi_getsafeparam ("F_uid", 0, Xh_param_int);
$t _strpwd = Papi_getsafeparam ("F_pwd", "", xh_param_txt);
$t _strsql = "SELECT * from Tbl_users WHERE uid= $t _struid and password = ' $t _strpwd ' LIMIT 0,1 ';
if ($t _hres = mysql_query ($t _strsql))
Processing after a successful query. Slightly...

1. Precautions can be from two aspects, one is the server, two is the code itself, the introduction of the server configuration of the article a lot, nothing more than to set the MAGIC_QUOTES_GPC to On,display_errors set to OFF
2. Code Start
1) We can obtain the user name in the database through the user name to get the password, and then the password to enter the match, if the same is the correct input password, otherwise there is a problem
2) A better way is to use PDO's PDO::p Repare () preprocessing operation to prevent SQL Injection Vulnerability PDO::p Repare () is primarily a preprocessing operation that requires the SQL statements in the preprocessing through $rs->execute ().
This method can be used to bind parameters, and the function is more powerful. There are two ways to bind a parameter: by name, or by the number.
3. Search engine SQL injection problem filter% and _ to prevent all data is queried.

PHP Anti-SQL injection

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.