PHP SQL Prevention injection and attack technology implementation and methods (1/4)

PHP Tutorial SQL Prevention injection and attack technology implementation and methods
1. The MAGIC_QUOTES_GPC option in the PHP configuration file php.ini is not turned on and is set to off

2. Developers do not check and escape data types

But in fact, the 2nd is the most important. I think that it is the most basic quality of a web programmer to check the data type entered by the user and submit the correct data type to the MySQL tutorial. But in reality, many small white web developers often forget this, leading to a backdoor opening.

Why is the 2nd most important? Because without a 2nd guarantee, the MAGIC_QUOTES_GPC option, whether on or off, can trigger a SQL injection attack. Here's a look at the technology implementation:

A. MAGIC_QUOTES_GPC = injection attack at off
MAGIC_QUOTES_GPC = Off is a very unsafe option in PHP. The new version of PHP has changed the default value to ON. However, there are still a considerable number of servers with the option off. After all, the antique server is also used by others.

When MAGIC_QUOTES_GPC = ON, it automatically adds all the "(single quotes)," (double), (backslash), white-space characters in the submitted variable to the front. The following is an official description of PHP:

MAGIC_QUOTES_GPC Boolean

Sets the Magic_quotes state for GPC (Get/post/cookie) operations. When magic_quotes are in, all ' (Single-quote), "(double quote), (backslash) and Nul's are escaped with a backslash autom Atically

　

Home 1 2 3 4 last page