PHP anti-SQL injection don't use addslashes and mysql_real_escape_string anymore.

bloggers are passionate about all kinds of internet technology, often wordy, often accompanied by obsessive-compulsive disorder, often updated, I think the article is helpful to you can pay attention to me. Reprint please indicate "The sickle of Deep Blue"

read a lot of PHP website in anti-SQL injection is still using addslashes and Str_replace, Baidu "PHP anti-injection" is also used in their , practice found that even mysql_real_escape_string also have a way for hackers to bypass, if your system is still using the above three methods, then my blog post has a meaning to remind All the later people bypassed the pit.

For the sake of posterity trees instead of digging pits, give PHP and MySQL version information, so that the future "problem" is no longer "problem".

anti-injection with STR _replace and a variety of PHP character substitution functions I don't have to say, this "blacklist" defense has been proven to withstand the test of time.

here's how to bypass Addslasher and mysql_real_escape_string (Tri ck ).

Note: Although the trick has been fixed under Mysql5.5.37-log, but still does not solve the injection problem exactly, the system in many companies is still using Mysql5.0, I suggest to make an improvement immediately, this is also I say a few ways to let the programmer quickly improve the ability of A very important point mentioned in the

Note: If you are not sure if your system is at risk of SQL injection , please deploy the following demo to your server, if the results are the same, please refer to the last the perfect solution.

Mysql:

Mysql> select version (); +---------------------+| Version ()           |+---------------------+| 5.0.45-community-ny |+---------------------+1 row in Set (0.00 sec) mysql> Create DATABASE test default CharSet GBK; Query OK, 1 row Affected (0.00 sec) mysql> use test;database changedmysql> CREATE TABLE users (    username VARCHAR ( CHARACTER set GBK,    password VARCHAR (+) CHARACTER set GBK,    PRIMARY KEY (username)); Query OK, 0 rows affected (0.02 sec) mysql> insert into users SET username= ' EWRFG ', password= ' wer44 '; Query OK, 1 row affected (0.01 sec) mysql> insert into users SET username= ' ewrfg2 ', password= ' wer443 '; Query OK, 1 row affected (0.01 sec) mysql> insert into users SET username= ' ewrfg4 ', password= ' wer4434 '; Query OK, 1 row affected (0.01 sec) =

Php:

  

  
   Results:
   

   
    It can be seen whether using addslashes or mysql_real_escape_string, I can use a coded vulnerability to enter any password can be entered into the server injection attack!!!! (The principle of attack I will not say, interested students can study the character encoding in the single-byte and multi-byte problem)  
    
Note: The third mysql_real_escape_string is able to prevent injection because the mysql_escape_string itself does not have the ability to determine the current encoding, you must specify both the server-side encoding and the client's code, plus the ability to prevent coding problems injected. While it is possible to prevent SQL injection to some extent, it is recommended that the following are the perfect solutions.

    

 
      
  
       The perfect solution is to use PDO and mysqli with the prepared statement mechanism instead of mysql_query (note: mysql_query since PHP 5.5.0 has been discarded and will be removed in the future):
 
      

    

 
      
  
       Pdo:
 
      

    

    
$pdo = new PDO (' Mysql:dbname=dbtest;host=127.0.0.1;charset=utf8 ', ' user ', ' Pass '); $pdo->setattribute (pdo::attr_ Emulate_prepares, false); $pdo->setattribute (Pdo::attr_errmode, pdo::errmode_exception); $stmt = $pdo->prepare (' SELECT * FROM employees WHERE name =: Name '); $stmt->execute (Array (' name ' = $name)); foreach ($stmt as $row) {    Do something with $row}
    

    
Mysqli:

    
$stmt = $dbConnection->prepare (' SELECT * FROM employees WHERE name =? '); $stmt->bind_param (' s ', $name); $stmt->execute (); $result = $stmt->get_result (); while ($row = $result FETCH_ASSOC ()) {    //do something with $row}
    
                                                
    
The above introduces the PHP anti-SQL injection do not use addslashes and mysql_real_escape_string, including the aspects of the content, I hope that the PHP tutorial interested in a friend helpful.

    
