PHP prevent SQL injection method and instance code

Source: Internet
Author: User

PHP Prevention of SQL injection is a very important security tool.

In addition to being able to write code smoothly, a good PHP programmer needs to have the ability to keep the program in a secure environment. Today we are going to talk about PHP to prevent SQL injection related methods. When it comes to website security, you have to mention SQL injection (SQL injection), if you use ASP, SQL injection must have a deep understanding of PHP security is relatively high, this is because MYSQL4 the following version does not support sub-statements, and when PHP.ini magic_ When the QUOTES_GPC is on.

All of the ' (single quotes), ' (double quotes), \ (backslash) and null characters in the committed variable are automatically converted to escape characters with backslashes, which can cause a lot of trouble for SQL injection. Please see clearly: "Trouble" is not meant to prevent SQL injection of PHP, the book describes the use of changes to inject the code to bypass the escape method, such as the SQL statement into ASCII encoding (similar to: char ( 100,58,92,108,111,99,97,108,104,111,115,116 ...) Such a format), or turn into 16 encoding, and even other forms of encoding, so that the escape filter has been bypassed, then how to prevent it:

A Open MAGIC_QUOTES_GPC or use the addslashes () function in the new version of PHP, even if MAGIC_QUOTES_GPC open, and then use the Addslashes () function, there will be no conflict, but in order to better achieve version compatibility, It is recommended that you detect the MAGIC_QUOTES_GPC state before using the transfer function, or simply turn it off, and the code is as follows: PHP Prevent SQL injection code

    1. Remove escape characters
    2. function Stripslashes_array ($array) {
    3. if (Is_array ($array)) {
    4. foreach ($array as $k = = $v) {
    5. $array [$k] = Stripslashes_array ($v);
    6. }
    7. } else if (is_string ($array)) {
    8. $array = Stripslashes ($array);
    9. }
    10. return $array;
    11. }
    12. @set_magic_quotes_runtime (0);
    13. Judging MAGIC_QUOTES_GPC Status
    14. if (@get_magic_quotes_gpc ()) {
    15. $_get = Stripslashes_array ($_get);
    16. $_post = Stripslashes_array ($_post);
    17. $_cookie = Stripslashes_array ($_cookie);
    18. }
Copy Code

Remove MAGIC_QUOTES_GPC and then use the Addslashes function, the code is as follows: PHP to prevent SQL injection code

    1. $keywords = Addslashes ($keywords);
    2. $keywords = Str_replace ("_", "\_", $keywords);//Escape "_"
    3. $keywords = str_replace ("%", "\%", $keywords);//Escape "%"
Copy Code

The latter two Str_replace replacement escapes are designed to prevent hackers from converting SQL encoding for attacks.

b Mandatory character format (type) In many cases we need to use a URL like xxx.php?id=xxx, generally $id are integer variables, in order to prevent attackers to tamper with the $id to attack statements, we try to enforce variables, code as follows: PHP to prevent SQL injection code $ Id=intval ($_get[' id '); Of course, there are other variable types, and if necessary, try to force the formatting.

C SQL statements contain variable quotes this is simple, but it's easy to get into the habit, first look at these two SQL statements:

    1. SELECT * from article where articleid= ' $id '
    2. SELECT * from article where articleid= $id
Copy Code

Both formulations are common in various programs, but the security is different, the first sentence because the variable $id in a pair of single quotes, so that we commit the variables are changed into a string, even if the correct SQL statement is not executed, and the second sentence is different, because the variable is not put in single quotes, All we have to commit, as long as there are spaces, the variables after that space are executed as SQL statements, so we have to get into the habit of quoting the variables in the SQL statement.

D.url pseudo-static URL pseudo-static is also URL rewriting technology, like discuz! Like, all the URLs are rewrite into similar xxx-xxx-x.html format, both for SEO, and to achieve a certain degree of security, but also a good way. But if you want to implement PHP to prevent SQL injection, you have to have a certain "regular" basis.

  • Related Article

    Contact Us

    The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

    If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

    A Free Trial That Lets You Build Big!

    Start building with 50+ products and up to 12 months usage for Elastic Compute Service

    • Sales Support

      1 on 1 presale consultation

    • After-Sales Support

      24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.