PHP methods for preventing SQL injection

Rookie today just learn PHP and SQL content, feel the pit is deep, do a simple record, welcome criticism exchange.

There are two main ideas one is filtering, one is the use of placeholders, it is said that the second can fundamentally solve SQL injection, I do not deep, still need to study.

Here are the sample code for filtering ideas, which should be noted in the following points:

1. Judge the data type with quotation marks to prevent it from being recognized as a number.

2. Use Stripslashes () Escape/etc

3. Use real_escape_string () filter ' etc (note setting character set before use)

4. Finally add the HTML-encoded function htmlentities () to prevent XSS.

Also pay attention to setting the table, the name of the column is not guessed, access control, prevent two injections, set the whitelist filter as the input of the option and so on.

There are a lot of other information on the Internet, here is simply a brief outline, welcome to add the outline points to note.

1 $conn=NewMysqli ($hn,$un,$PW,$db);2 3 //Set character sets4 if(!$conn->set_charset (' UTF8 ')) {5         printf("Error loading character Set UTF8:%s\n",$conn-error);6          die("GG");7}Else {8         printf("Current Character set:%s\n",$conn-character_set_name ());9     }Ten // One   functionGet_post ($conn,$var) A   { -       $string=$_post[$var]; -       if(GET_MAGIC_QUOTES_GPC())  the           $string=stripslashes($string); -       if(!Is_numeric($string)) -       { -           $string= "'".$conn->real_escape_string ($string) . "‘"; +       } -       return htmlentities($string); +      A}

PHP methods for preventing SQL injection