PHP Prevent SQL Injection principle Introduction _php Tutorial

Although many PHP programmers in the country still rely on addslashes to prevent SQL injection, it is recommended to strengthen Chinese to prevent SQL injection check. The problem with addslashes is that hackers can use 0xbf27 instead of single quotes, and addslashes just modifies 0xbf27 to 0xbf5c27 as a valid multibyte character, where 0xbf5c is still considered a single quote, So addslashes can't intercept successfully.

Of course addslashes is not useless, it is used for single-byte string processing, multibyte characters or mysql_real_escape_string bar.

Open MAGIC_QUOTES_GPC to prevent SQL injection

There is a setting in php.ini: MAGIC_QUOTES_GPC = Off
This is off by default, and if it is turned on, it will automatically convert the query that the user commits to SQL.
For example, "turn to" and so on, to prevent SQL injection has a major role.

If Magic_quotes_gpc=off, use the addslashes () function

Another example of GET_MAGIC_QUOTES_GPC in the PHP manual:

The code is as follows	Copy Code
if (!GET_MAGIC_QUOTES_GPC ()) { $lastname = addslashes ($_post[' LastName '); } else { $lastname = $_post[' LastName '); }

It is best to check the $_post[' LastName ' If the MAGIC_QUOTES_GPC is already open.

Again, the difference between the 2 functions of mysql_real_escape_string and mysql_escape_string:

Mysql_real_escape_string must be used in cases (PHP 4 >= 4.3.0, PHP 5). Otherwise you can only use mysql_escape_string, the difference between the two is: Mysql_real_escape_string consider the current character set of the connection, and mysql_escape_string not consider.

(1) mysql_real_escape_string--escapes special characters in strings used in SQL statements and takes into account the current character set of the connection

Here's how to use it:

The code is as follows	Copy Code
$sql = "SELECT count (*) as Ctr from users where username02.= '". Mysql_real_escape_string ($username). "' and 03.password= '". Mysql_real_escape_string ($PW). "' Limit 1";

Self-defined functions

The code is as follows

Copy Code

function Inject_check ($sql _str) { Return eregi (' select|insert|and|or|update|delete| ' | /*|*|.. /|. /|union|into|load_file|outfile ', $sql _str); } function verify_id ($id =null) { if (! $id) { Exit (' no submit parameter! '); } elseif (Inject_check ($id)) { Exit (' argument submitted is illegal! '); } elseif (!is_numeric ($id)) { Exit (' argument submitted is illegal! '); } $id = Intval ($id); return $id; } function Str_check ($STR) { if (!GET_MAGIC_QUOTES_GPC ()) { $str = Addslashes ($STR); To filter } $str = Str_replace ("_", "_", $str); $str = str_replace ("%", "%", $str); return $str; } function Post_check ($post) { if (!GET_MAGIC_QUOTES_GPC ()) { $post = Addslashes ($post); } $post = Str_replace ("_", "_", $post); $post = str_replace ("%", "%", $post); $post = NL2BR ($post); $post = Htmlspecialchars ($post); return $post; }

To summarize:

* Addslashes () is forcibly added;

* Mysql_real_escape_string () will determine the character set, but the PHP version is required;
* Mysql_escape_string does not consider the current character set of the connection.
The prevention of SQL injection in DZ is to use the Addslashes function, while there are some substitutions in dthmlspecialchars this function $string = Preg_replace (/& ]{4}));)/, &1, this substitution solves the problem of injection, but also solves some problems of Chinese garbled.

http://www.bkjia.com/PHPjc/629626.html www.bkjia.com true http://www.bkjia.com/PHPjc/629626.html techarticle Although many PHP programmers in the country still rely on addslashes to prevent SQL injection, it is recommended to strengthen Chinese to prevent SQL injection check. The problem with addslashes is that hackers can use 0xbf27 instead ...

