Anti-SQL injection is one of the steps we must take to develop our program, so let's introduce some of the ways to use mysql_real_escape_string anti-SQL injection in PHP and MySQL development.
The mysql_real_escape_string () function escapes special characters in strings used in SQL statements. The following characters are affected:
The code is as follows |
Copy Code |
X00 N R
' " X1a |
If successful, the function returns the escaped string. If it fails, it returns false.
Easy to use the following function, you can effectively filter.
The code is as follows |
Copy Code |
function Safe ($s) {//Security filter function if (GET_MAGIC_QUOTES_GPC ()) {$s =stripslashes ($s);} $s =mysql_real_escape_string ($s); return $s; } |
or add it in the Conn public connection file, so you don't need to change the code:
The code is as follows |
Copy Code |
if (GET_MAGIC_QUOTES_GPC ()) { $_request = Array_map (' stripslashes ', $_request); } $_request = Array_map (' mysql_real_escape_string ', $_request); |
mysql_real_escape_string anti-SQL injection just to prevent some of the most basic, if you need more powerful anti-SQL injection I can refer to the following methods
The first is the security settings for the server, which is primarily Php+mysql security settings and Linux Host Security settings. For Php+mysql injection prevention, first set MAGIC_QUOTES_GPC to On,display_errors set to OFF, if ID type, we use Intval () to convert it to an integer type, such as code:
The code is as follows |
Copy Code |
$id =intval ($id); mysql_query= "Select *from example where articieid= ' $id '"; or write this: mysql_query ("select * from article where articleid=". Intval ($id). "") |
If it is a character type, filter it with addslashes () and then filter "%" and "_" such as:
The code is as follows |
Copy Code |
$search =addslashes ($search); $search =str_replace ("_", "_", $search); $search =str_replace ("%", "%", $search);
|
Of course, you can also add PHP Universal anti-injection code:
/*************************
PHP Universal Anti-inject security code
Description
Determine if the passed variable contains illegal characters
such as $_post, $_get
Function:
Anti-injection
The code is as follows |
Copy Code |
**************************/ Illegal characters to filter on $ArrFiltrate =array ("'", ";", "union"); The URL to jump after the error, without filling the default previous page $STRGOURL = ""; Whether the values in the array exist function Funstringexist ($StrFiltrate, $ArrFiltrate) { foreach ($ArrFiltrate as $key = = $value) { if (eregi ($value, $StrFiltrate)) { return true; } } return false; } Merging $_post and $_get if (function_exists (Array_merge)) { $ArrPostAndGet =array_merge ($HTTP _post_vars, $HTTP _get_vars); }else{ foreach ($HTTP _post_vars as $key = + $value) { $ArrPostAndGet []= $value; } foreach ($HTTP _get_vars as $key = + $value) { $ArrPostAndGet []= $value; } } Validation begins foreach ($ArrPostAndGet as $key = = $value) { if (Funstringexist ($value, $ArrFiltrate)) { echo "Alert (/" NEEAO hint, illegal character/");"; if (empty ($STRGOURL)) { echo "History.go (-1);"; }else{ echo "window.location=/" ". $StrGoUrl." /”;”; } Exit } } ?>
|
/*************************
Save As Checkpostandget.php
Then add an include ("checkpostandget.php") to each PHP file;
**************************/
In addition, the Administrator user name and password are taken MD5 encryption, so as to effectively prevent the injection of PHP.
There are also servers and MySQL to strengthen some security precautions.
Security settings for Linux servers:
Encrypt the password and use the/usr/sbin/authconfig tool to turn on the shadow function of the passcode and encrypt the password.
Disable access to important files, enter the Linux command interface, and enter at the prompt:
#chmod 600/etc/inetd.conf//Change file property to 600
#chattr +i/etc/inetd.conf//Guarantee file owner is root
#chattr –i/etc/inetd.conf//restrictions on changes to this file
Prevents any user from changing to the root user through the SU command
Add the following two lines at the beginning of the SU configuration file, which is the/etc/pam.d/directory:
Auth sufficient/lib/security/pam_rootok.so Debug
Auth required/lib/security/pam_whell.so Group=wheel
Delete all special accounts
#userdel LP and so on delete user
#groupdel LP and so on delete group
Prohibit Suid/sgid programs that are not used
#find/-type F (-perm-04000-o–perm-02000)-execls–lg {};
http://www.bkjia.com/PHPjc/629620.html www.bkjia.com true http://www.bkjia.com/PHPjc/629620.html techarticle anti-SQL injection is one of the steps we must take to develop our program, so let's introduce some of the ways to use mysql_real_escape_string anti-SQL injection in PHP and MySQL development. M ...