PHP Prevention of SQL injection is a very important security tool. In addition to being able to write code smoothly, a good PHP programmer needs to have the ability to keep the program in a secure environment. Today we are going to talk about PHP to prevent SQL injection related methods. When it comes to website security, you have to mention SQL injection (SQL injection), if you use ASP, SQL injection must have a deep understanding of PHP security is relatively high, this is because MYSQL4 the following version does not support sub-statements, and when PHP.ini magic_ When the QUOTES_GPC is on. All of the ' (single quotes), ' (double quotes), \ (backslash) and null characters in the committed variable are automatically converted to escape characters with backslashes, which can cause a lot of trouble for SQL injection. Please see clearly: "Trouble" is not meant to prevent SQL injection of PHP, the book describes the use of changes to inject the code to bypass the escape method, such as the SQL statement into ASCII encoding (similar to: char ( 100,58,92,108,111,99,97,108,104,111,115,116 ...) Such a format), or turn into 16 encoding, and even other forms of encoding, so that the escape filter has been bypassed, then how to prevent it: A Open MAGIC_QUOTES_GPC or use the addslashes () function in the new version of PHP, even if MAGIC_QUOTES_GPC open, and then use the Addslashes () function, there will be no conflict, but in order to better achieve version compatibility, It is recommended that you detect the MAGIC_QUOTES_GPC state before using the transfer function, or simply turn it off, and the code is as follows: PHP Prevent SQL injection code
- Remove escape characters
- function Stripslashes_array ($array) {
- if (Is_array ($array)) {
- foreach ($array as $k = = $v) {
- $array [$k] = Stripslashes_array ($v);
- }
- } else if (is_string ($array)) {
- $array = Stripslashes ($array);
- }
- return $array;
- }
- @set_magic_quotes_runtime (0);
- Judging MAGIC_QUOTES_GPC Status
- if (@get_magic_quotes_gpc ()) {
- $_get = Stripslashes_array ($_get);
- $_post = Stripslashes_array ($_post);
- $_cookie = Stripslashes_array ($_cookie);
- }
Copy CodeRemove MAGIC_QUOTES_GPC and then use the Addslashes function, the code is as follows: PHP to prevent SQL injection code
- $keywords = Addslashes ($keywords);
- $keywords = Str_replace ("_", "\_", $keywords);//Escape "_"
- $keywords = str_replace ("%", "\%", $keywords);//Escape "%"
Copy CodeThe latter two Str_replace replacement escapes are designed to prevent hackers from converting SQL encoding for attacks. b Mandatory character format (type) In many cases we need to use a URL like xxx.php?id=xxx, generally $id are integer variables, in order to prevent attackers to tamper with the $id to attack statements, we try to enforce variables, code as follows: PHP to prevent SQL injection code $ Id=intval ($_get[' id '); Of course, there are other variable types, and if necessary, try to force the formatting. C SQL statements contain variable quotes this is simple, but it's easy to get into the habit, first look at these two SQL statements:
- SELECT * from article where articleid= ' $id '
- SELECT * from article where articleid= $id
Copy CodeBoth formulations are common in various programs, but the security is different, the first sentence because the variable $id in a pair of single quotes, so that we commit the variables are changed into a string, even if the correct SQL statement is not executed, and the second sentence is different, because the variable is not put in single quotes, All we have to commit, as long as there are spaces, the variables after that space are executed as SQL statements, so we have to get into the habit of quoting the variables in the SQL statement. D.url pseudo-static URL pseudo-static is also URL rewriting technology, like discuz! Like, all the URLs are rewrite into similar xxx-xxx-x.html format, both for SEO, and to achieve a certain degree of security, but also a good way. But if you want to implement PHP to prevent SQL injection, you have to have a certain "regular" basis. |