First of all, the SQL injection attack mode, basically is the background in accepting the front-end parameters to pass the SQL code or script code into the submission information, if you accept the submitted parameters do not do accurate data validation, it is likely to let others drill loopholes, light Bauku, the database data will be deleted;
So want to prevent SQL injection, the key is the programmer to write code must be rigorous, strict data validation, data type, length, regular and so can be done;
http://hudeyong926.iteye.com/blog/703074 this inside validation rules can be consulted;
In the case of SQL injection to prevent the need to follow the type of parameters you passed to filter, in theory, as long as you do not conform to the parameters of the type of data should be filtered out, you can write multiple functions encapsulated, use this filter to call this function;
1, the regular expression filter SQL keyword, this generally in the time of the parameter is not allowed to take these data;
function Inject_check ($str 1) {
Verify that the passed in parameters contain injected characters
Return Preg_match ('/select|insert|and|or|update|delete|union|into|load_file|outfile|from|count\ (|drop table| Update|truncate|asc\ (|mid\ (|char\ (|xp_cmdshell|exec|master|\/\*|\*|\.\.\/|\.\//i ', $str 1);
}
2. Data type Verification
The type of data is better judged, is_string () to determine whether it is a string, is_numeric () to determine whether it is a number; here, it is important to note that PHP is a weak language programming language, so it is important to note that when distinguishing between numbers and strings, ' 1 ' and 1 are actually equal, PHP automatically converts digital strings into numbers, but if you put a double quote on ' 1 ' like ' 1 ', it's a string, remember when you do the filtering, or it's easy to make mistakes;
3. Data length Verification
If you can determine the length of your incoming data, of course, can make a simple judgment, but the general situation directly using regular expression judgment, not only can match the data length, but also can accurately match the data type and parameter format, so the regular expression is very convenient and efficient;
4. Special character substitution
This problem may exist when the user input ', ',%, and so on when the SQL is mistaken for a special character, the execution of the statement when the error or the results of the query is not correct; This requires the str_replace () function to do the substitution of a string-specific character,
such as Str_resplace ("", "\", $str), so that the $str in the ' number into the ', so that SQL in the execution of the ' as ' to deal with, otherwise it would be a string delimiter, it will be error,% is actually the same,% In SQL is a fuzzy query, if you do escape processing, SQL will be considered as the% of this character, do not do fuzzy query processing; Of course, PHP also has a function to handle the Addslashes () function is to do this, in addition to PHP configuration file has a magic_ QUOTES_GPC () This configuration if set to On, PHP in the acceptance of parameters, will automatically give ', ', \,null plus \ to escape; Detailed use of the method I do not say here, the link in front is also some, Baidu is also easy to find;
First summarize these points, the back of the use of other plus;
PHP MySQL injection attack solution