PHP Prevent injection attack case analysis _php skills

In this paper, the method of preventing injection attack in PHP is analyzed in detail. Share to everyone for your reference. The specific analysis is as follows:

PHP addslashes () function --single apostrophe plus slash escape

PHP String function

Definitions and usage

The Addslashes () function adds a backslash before the specified predefined character.
The predefined characters are:
Single quotation mark (')
Double quotation mark (")
Back slash (\)
Null
Syntax:

Addslashes (String)

Parameters	Describe
String	Necessary. Specify the string to check.

Tips and comments

Tip: This function can be used to prepare the appropriate string for strings stored in the database and for database query statements.
Note: By default, the PHP directive MAGIC_QUOTES_GPC to on and automatically runs Addslashes () for all get, POST, and COOKIE data. Do not use Addslashes () on strings that have been escaped by MAGIC_QUOTES_GPC, because this can result in a double escape. You can use the function GET_MAGIC_QUOTES_GPC () for instrumentation when this situation is encountered.

Example

In this case, we want to add a backslash to the predefined characters in the string:

Copy Code code as follows:

<?php
$str = "Who ' s John Adams?";
Echo $str. "This isn't safe in a database query.<br/>";
echo addslashes ($STR). "This is safe in a database query.";
?>

Output:
Who ' s John Adams? This isn't safe in a database query.
Who\ ' s John Adams? This is safe in a database query.

GET_MAGIC_QUOTES_GPC function

Copy Code code as follows:

function html ($STR)
{
$str = GET_MAGIC_QUOTES_GPC () $str: Addslashes ($STR);
return $str;
}

GET_MAGIC_QUOTES_GPC:
Gets the value of the PHP environment variable MAGIC_QUOTES_GPC.
Syntax: Long get_magic_quotes_gpc (void);
Return value: Long integer
Types of functions: PHP system Features

Content Description:

This function obtains the PHP environment set Variable MAGIC_QUOTES_GPC (GPC, Get/post/cookie) value. Return 0 To turn off this feature; return 1 indicates this feature is turned on. When MAGIC_QUOTES_GPC is turned on, all ' (single quotes), "(double quotes), \ (backslash) and null characters are automatically converted to overflow characters that contain backslashes.

addslashes --referencing strings using backslashes

Describe:

String addslashes (String str)
Returns a string that is preceded by a backslash for some characters, such as database query statements. These characters are single quotes ('), double quotes ("), backslashes (\) and NUL (NULL characters).

An example of using addslashes () is when you are entering data into a database. For example, insert the name O ' Reilly into the database, which you need to escape. Most databases use \ as an escape character: O\ ' Reilly. This allows the data to be placed in the database without inserting additional \. When the PHP instruction Magic_quotes_sybase is set to ON, it means that the insert ' will be used ' for escape.

By default, the PHP instruction MAGIC_QUOTES_GPC is on, and it automatically runs Addslashes () for all get, POST, and COOKIE data. Do not use Addslashes () on strings that have been escaped by MAGIC_QUOTES_GPC, because this can result in a double escape. You can use the function GET_MAGIC_QUOTES_GPC () for instrumentation when this situation is encountered.

Example 1. Addslashes () example

Copy Code code as follows:

$str = "Is your name O ' Reilly";
Output: Is your name o\ ' Reilly?
echo addslashes ($STR);
?>
GET_MAGIC_QUOTES_GPC ()

This function obtains the PHP environment configuration variable MAGIC_QUOTES_GPC (GPC, Get/post/cookie) value. A return of 0 indicates that this feature is turned off; 1 indicates that this feature is turned on. When MAGIC_QUOTES_GPC is open, all ' (single quotes), "(double quotes), \ (backslash) and null characters are automatically converted to overflow characters that contain backslashes.

Magic_quotes_gpc

For MAGIC_QUOTES_GPC in PHP.ini, is it set to off or on?

Personal opinion, should be set to ON

Summarized as follows:

1. For the magic_quotes_gpc=on situation,

We can not make string data for input and output databases
Addslashes () and Stripslashes (), the data is also displayed correctly.

If you addslashes () the input data at this time,
Then you must use Stripslashes () in the output to remove the extra backslash.

2. For the Magic_quotes_gpc=off situation

You must use Addslashes () to process the input data, but you do not need to use stripslashes () to format the output
Because Addslashes () did not write the backslash to the database, it only helped MySQL complete the execution of the SQL statement.

Add:

MAGIC_QUOTES_GPC scope is: Web Client service side; Action time: When a request starts, for example, when the script is running.
Magic_quotes_runtime scope: Data read from a file or executed as a result of exec () or from a SQL query; action time: Data generated every time the script accesses the running state

Code:

Copy Code code as follows:

<?php
/*
Sometimes the form submits more than one variable, possibly more than 10 or dozens of. Is it a bit troublesome to copy/paste addslashes () Once a time? Because the data obtained from the form or URL is an array, such as $_post, $_get,  then customize a function that can be "annihilation"
*/
function quotes ($content)
{
If Magic_quotes_gpc=off, then start processing
if (!GET_MAGIC_QUOTES_GPC ()) {
To determine whether $content is an array
if (Is_array ($content)) {
If the $content is an array, then deal with each of its single without
foreach ($content as $key => $value) {
$content [$key] = addslashes ($value);
}
} else {
If $content is not an array, it is only handled once
Addslashes ($content);
}
} else {
If magic_quotes_gpc=on, then do not deal with
}
Back to $content
return $content;
}
?>

I hope this article will help you with your PHP program design.