The space clearing method is insecure, in part because there are many spaces in the characters. For example, "addslashes is a problem where hackers can use 0xbf27 to replace single quotes, addslashes only changes 0xbf27 to 0xbf5c27 to a valid multi-byte character. The 0xbf5c is still regarded as a single quotation mark, so addslashes cannot be intercepted. "
It is best to check whether the parameter is int or not according to the specific parameter requirements, plus the parameter operation method of the database. in fact, this is the SQL problem of the database and should be solved from the source database itself, but some databases slide to provide the corresponding method.
SQL injection attacks are the most common means for hackers to attack websites. If your site does not use strict user input tests, it is often vulnerable to SQL injection attacks. SQL injection attacks are usually implemented by submitting bad data or query statements to the site database, which may expose, change, or delete records in the database.
To prevent SQL injection attacks, PHP comes with a function that can process input strings and perform initial security processing on the input at a lower level, that is, Magic Quotes. (Php. ini magic_quotes_gpc ). If the magic_quotes_gpc option is enabled, the single quotation marks, double quotation marks, and other characters in the input string will be automatically added with the backslash \.
However, Magic Quotes is not a common solution. It does not block all potentially dangerous characters and Magic Quotes is not enabled on many servers. Therefore, we also need to use other methods to prevent SQL injection.
Many databases provide such input data processing functions. For example, MySQL operation functions in PHP Include addslashes (), mysql_real_escape_string (), mysql_escape_string (), and other functions. special characters and characters that may cause database operation errors can be escaped. So what are the differences between the three function functions? The following is a detailed description.
Although many PHP programmers in China are still relying on addslashes to prevent SQL injection, we recommend that you enhance Chinese characters to prevent SQL Injection checks. The problem with addslashes is that hackers can use 0xbf27 to replace single quotes, while addslashes only changes 0xbf27 to 0xbf5c27 to a valid multi-byte character, where 0xbf5c is still considered as single quotes, therefore, addslashes cannot be intercepted.
Of course, addslashes is not useless either. It is used for processing single-byte strings and mysql_real_escape_string is used for multi-byte characters.
In addition, the example of get_magic_quotes_gpc in the php manual is as follows:
If (! Get_magic_quotes_gpc ()){
$ Lastname = addslashes ($ _ POST ['lastname']);
} Else {
$ Lastname = $ _ POST ['lastname'];
}
If magic_quotes_gpc is enabled, check $ _ POST ['lastname.
Let's talk about the differences between the two functions mysql_real_escape_string and mysql_escape_string:
Mysql_real_escape_string can be used only when (PHP 4> = 4.3.0, PHP 5. Otherwise, only mysql_escape_string can be used. The difference between mysql_real_escape_string and mysql_escape_string is not considered because of the current character set to be connected.
Summary:
* Addslashes () is forcibly added \;
* Mysql_real_escape_string () determines the character set, but it is required for the PHP version;
* Mysql_escape_string does not consider the connected current character set.
In dz, the function addslashes is used to prevent SQL injection, also in the dthmlspecialchars function, some Replace $ string = preg_replace ('/& (# (\ d {} | x [a-fA-F0-9] {4 }));) /',' & \ 1 '. This replacement solves the injection problem and Chinese garbled characters.