Php function code for SQL injection and escape

Source: Internet
Author: User
This article mainly introduces the SQL injection and escape code. In fact, you can refer to the dedecms empire phpcms code during usage. I believe your code is safer.

This article mainly introduces the SQL injection and escape code. In fact, you can refer to the dedecms empire phpcms code during usage. I believe your code is safer.

SQL Injection:

Under normal circumstances:

Delete. php? Id = 3;
$ SQL = 'delete from news where id = '. $ _ GET ['id'];

Malicious situation:

Delete. php? Id = 3 or 1;
$ SQL = 'delete from news where id = 3 or 1'; ------- after this operation, all records will be deleted.

Relevant measures should be taken... For example, you can determine whether it is a number first.

Believe that the information sent from the client is always unreliable !!

Escape:

Sometimes data transmitted from the client may maliciously contain special characters, such as single quotes and slashes. Therefore, escape the characters and convert them into common characters, in this case, string addslashes (string $ str) is used. This function can escape a variable. However, if the elements in the logarithm group are escaped, use the foreach loop array, as shown below:

The Code is as follows:


Foreach ($ _ POST as $ k => $ v ){
If (is_string ($ v )){
$ _ POST [$ k] = addslashes ($ v );
}
}

However, if the array contains an array, it is required to recursively escape it.

Array_walk_recursive (array & $ input, callback $ funcname [, mixed $ userdata])

Apply the User-Defined Function funcname to each cell in the array. This function is recursive to a deeper array. In typical cases, funcname accepts two parameters. The value of the input parameter is the first and the key name is the second. If the optional parameter userdata is provided, it is passed to callback funcname as the third parameter. Returns TRUE if the call succeeds, or FALSE if the call fails.

That is to say, a user-defined function must be able to receive at least two parameters, while addslashes () can only receive one parameter. Therefore, the User-Defined Function is as follows:

The Code is as follows:


Function a (& $ v, $ k ){
$ V = addslashes ($ v );
}
Array_pai_recursive (& $ arr, 'A ');

Automatic escape:

In PHP, there is a concept of magic quotes. How to open it? A: in PHP. ini, magic_quotes_gpc = On; restart apache.

After the magic quotes are opened, the system automatically escapes the $ _ GET, $ _ POST, and $ _ COOKIE data. If you manually escape the data again without knowing it, if you want to properly escape servers, website spaces, and virtual hosts in Hong Kong, you must first determine whether the magic symbol has been opened and use magic_quotes_gpc () to determine whether the magic symbol has been opened, if no value is required, 0 is returned, and 1 is returned.

The Code is as follows:


If (! Get_magic_quotes_gpc () {// if the magic quotes are not opened

Function _ addslashes (& $ v, $ k ){
$ V = addslashes ($ v );
}
Array_pai_recursive (& $ _ GET, '_ addslashes ');
Array_pai_recursive (& $ _ POST, '_ addslashes ');
Array_pai_recursive (& $ _ COOKIE, '_ addslashes ');
}

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.