Php filters and submits data to prevent SQL injection attacks

Fortunately, PHP provides the strip_tags () function, which can clear any content surrounded by HTML tags. The strip_tags () function also allows you to provide a list of allowed tags, such as <B> or <I>. Browser data manipulation involves a type of browser plug-in that allows users to tamper with header and form elements on the page. Using Tamper Data (a Mozilla plugin), you can easily manipulate simple forms containing many hidden text fields to send commands to PHP and MySQL. Before clicking Submit on the form, the user can start Tamper Data. When submitting a form, he will see a list of data fields in the form. Tamper Data allows users to Tamper with the Data, and then the browser completes form submission. Let's go back to the example we created earlier. Check the string length, clear the HTML tag, and delete hexadecimal characters. However, some hidden text fields are added as follows: listing 17. Hiding variables <? Php if ($ _ POST ['submit '] = "go") {// strip_tags $ name = strip_tags ($ _ POST ['name']); $ name = substr ($ name,); // clean out any potential hexadecimal characters $ name = cleanHex ($ name); // continue processing ....} Function cleanHex ($ input) {$ clean = preg_replace ("! [\] [XX] ([A-Fa-f0-9 })!", "", $ Input); return $ clean;}?> <Form action = "<? Php echo $ _ SERVER ['php _ SELF '];?>" Method = "post"> <p> <label for = "name"> Name </label> <input type = "text" name = "name" id = "name" size = "20" maxlength = "40"/> </p> <input type = "hidden" name = "table" value = "users"/> <input type = "hidden "name =" action "value =" create "/> <input type =" hidden "name =" status "value =" live \ "/> <p> <input type = "submit" name = "submit" value = "go"/> </p> </form> note, one of the hidden variables exposes the table name: users. You can also see an action field with the value of create. With Basic SQL experience, we can see that these commands may control an SQL engine in middleware. To make a big damage, you only need to change the table name or provide another option, such as delete. What are the remaining problems? Remote form submission. The advantage of remote form submission Web is the ability to share information and services. The downside is that you can share information and services, because some people do things without scruples. Take the form as an example. Anyone can access a Web site and use File> Save As on the browser to create a local copy of the form. Then, he can modify the action parameter to point to a fully qualified URL (not to formHandler. php, but http://www.yoursite.com/formHandler.php Because the form is on this site), make any modifications he wants, and click Submit. The server will receive the form data as a valid communication stream. First, you may consider checking $ _ SERVER ['HTTP _ referer'] to determine whether the request comes from your own SERVER. This method can block most malicious users, but cannot block the best hackers. These people are smart enough to tamper with the reference information in the header so that the form's remote copy looks like it was submitted from your server. A better way to process remote form submission is to generate a token based on a unique string or Timestamp and place the token in session variables and forms. After submitting the form, check whether the two tokens match. If they do not match, someone tries to send data from the form's remote copy. To create a random Token, you can use the built-in md5 (), uniqid (), and rand () functions of PHP, as shown in the following figure: listing 18. Defending against remote form submission <? Php session_start (); if ($ _ POST ['submit '] = "go ") {// check token if ($ _ POST ['Token'] ==$ _ SESSION ['Token']) {// strip_tags $ name = strip_tags ($ _ POST ['name']); $ name = substr ($ name, 0, 40 ); // clean out any potential hexadecimal characters $ name = cleanHex ($ name); // continue processing ....} Else {// stop all processing! Remote form posting attempt!} $ Token = md5 (uniqid (rand (), true); $ _ SESSION ['Token'] = $ token; function cleanHex ($ input) {$ clean = preg_replace ("! [\] [XX] ([A-Fa-f0-9 })!", "", $ Input); return $ clean;}?> <Form action = "<? Php echo $ _ SERVER ['php _ SELF '];?>" Method = "post"> <p> <label for = "name"> Name </label> <input type = "text" name = "name" id = "name" size = "20" maxlength = "40"/> </p> <input type = "hidden" name = "token" value = "<? Php echo $ token;?>" /> <P> <input type = "submit" name = "submit" value = "go"/> </p> </form> this technology is effective, this is because session data in PHP cannot be migrated between servers. Even if someone has obtained your PHP source code, transfer it to your server and submit information to your server, your server only receives an empty or malformed session token and a previously provided form token. If they do not match, the remote form submission fails.