Php injection protection experience. Php anti-Injection Attacks: This topic is too common. in PHP. INI, magic_quotes_gpcOn can defend against some injection attacks, but is it omnipotent? We are now using php to defend against injection attacks
I:
This topic is too common.
Set magic_quotes_gpc = On in PHP. INI.
It does defend against injection attacks, but is it omnipotent?
We now convert all the variables received by POST or GET to HTML encoding, including spaces, punctuation marks, and special characters.
Restore the demo. How did you do it? Exchange code.
But it is useless. it cannot prevent union statements. when your SQL statements are not standardized.
For example, if select * from news where id = $ Id, this variable $ Id is not enclosed in small quotation marks and is not determined whether the $ Id is a numeric string, it will be injected, even magic_quotes_gpc = On.
The thorough anti-injection method is only to enclose variables in small quotes in SQL statements, and then
Magic_quotes_gpc = On, convert spaces, punctuation marks, and all special characters to HTML encoding.
In this way, I think it will be done once and for All. I don't know if there is any fish that may leak into the Internet. please kindly advise. if the system we are developing is no longer injected, I can get a good night's sleep. haha.
Generally, I use a function on each page to preliminarily filter data such as _ get, _ post, and _ session.
Forcibly check the data type when writing data to the database ~
Basically, the general injection effect is good.
1 \ SQL statements should be formatted using sprintf and then queried
2 \ when detecting login, it is best to retrieve another value from one value and then compare it
Example:
Haha, that is an example. I have summarized it carefully and it is easy not to be injected.
Summary:
Magic_quotes_gpc = On is enabled, and the variable is enclosed in small quotation marks. if someone else wants to inject the variable, the variable must be enclosed in small quotation marks, if you add a small quotation mark, it will be escaped by magic_quotes_gpc = On. An error occurred while breaking the small quotation mark. It cannot do bad things.
Another point is that there are two annotation marks in MYSQL: # and/*. through this, you can comment out the following SQL language names and convert these two characters to ASC or HTML code.
Then there is a space for injection attacks.
For example, select * from news where id = 1 union select * from admin. if I delete or convert a space.
Select * from news where id = 1unionselect * fromadmin. this is the end of data theft.
Select * from news where id = 1; drop table news here spaces are removed.
Select * from news where id = 1; droptablenews cannot be executed.
Therefore, the parent of injection attacks is a space. After the space is replaced. It's really safe to go to bed.
Tip 1: This topic is too common. in PHP. INI, magic_quotes_gpc = On can defend against injection attacks, but is it omnipotent? We are...