PHP Prevent SQL Injection principle Introduction _php Tutorial

Source: Internet
Author: User
Although many PHP programmers in the country still rely on addslashes to prevent SQL injection, it is recommended to strengthen Chinese to prevent SQL injection check. The problem with addslashes is that hackers can use 0xbf27 instead of single quotes, and addslashes just modifies 0xbf27 to 0xbf5c27 as a valid multibyte character, where 0xbf5c is still considered a single quote, So addslashes can't intercept successfully.

Of course addslashes is not useless, it is used for single-byte string processing, multibyte characters or mysql_real_escape_string bar.

Open MAGIC_QUOTES_GPC to prevent SQL injection

There is a setting in php.ini: MAGIC_QUOTES_GPC = Off
This is off by default, and if it is turned on, it will automatically convert the query that the user commits to SQL.
For example, "turn to" and so on, to prevent SQL injection has a major role.

If Magic_quotes_gpc=off, use the addslashes () function

Another example of GET_MAGIC_QUOTES_GPC in the PHP manual:

The code is as follows Copy Code

if (!GET_MAGIC_QUOTES_GPC ()) {

$lastname = addslashes ($_post[' LastName ');

} else {

$lastname = $_post[' LastName ');

}

It is best to check the $_post[' LastName ' If the MAGIC_QUOTES_GPC is already open.

Again, the difference between the 2 functions of mysql_real_escape_string and mysql_escape_string:

Mysql_real_escape_string must be used in cases (PHP 4 >= 4.3.0, PHP 5). Otherwise you can only use mysql_escape_string, the difference between the two is: Mysql_real_escape_string consider the current character set of the connection, and mysql_escape_string not consider.

(1) mysql_real_escape_string--escapes special characters in strings used in SQL statements and takes into account the current character set of the connection

Here's how to use it:

The code is as follows Copy Code

$sql = "SELECT count (*) as Ctr from users where username02.= '". Mysql_real_escape_string ($username). "' and 03.password= '". Mysql_real_escape_string ($PW). "' Limit 1";


Self-defined functions

The code is as follows Copy Code


function Inject_check ($sql _str) {
Return eregi (' select|insert|and|or|update|delete| ' | /*|*|.. /|. /|union|into|load_file|outfile ', $sql _str);
}

function verify_id ($id =null) {
if (! $id) {
Exit (' no submit parameter! ');
} elseif (Inject_check ($id)) {
Exit (' argument submitted is illegal! ');
} elseif (!is_numeric ($id)) {
Exit (' argument submitted is illegal! ');
}
$id = Intval ($id);

return $id;
}


function Str_check ($STR) {
if (!GET_MAGIC_QUOTES_GPC ()) {
$str = Addslashes ($STR); To filter
}
$str = Str_replace ("_", "_", $str);
$str = str_replace ("%", "%", $str);

return $str;
}


function Post_check ($post) {
if (!GET_MAGIC_QUOTES_GPC ()) {
$post = Addslashes ($post);
}
$post = Str_replace ("_", "_", $post);
$post = str_replace ("%", "%", $post);
$post = NL2BR ($post);
$post = Htmlspecialchars ($post);

return $post;
}

To summarize:

* Addslashes () is forcibly added;

* Mysql_real_escape_string () will determine the character set, but the PHP version is required;
* Mysql_escape_string does not consider the current character set of the connection.
The prevention of SQL injection in DZ is to use the Addslashes function, while there are some substitutions in dthmlspecialchars this function $string = Preg_replace (/& ]{4}));)/, &1, this substitution solves the problem of injection, but also solves some problems of Chinese garbled.

http://www.bkjia.com/PHPjc/629626.html www.bkjia.com true http://www.bkjia.com/PHPjc/629626.html techarticle Although many PHP programmers in the country still rely on addslashes to prevent SQL injection, it is recommended to strengthen Chinese to prevent SQL injection check. The problem with addslashes is that hackers can use 0xbf27 instead ...

  • Related Article

    Contact Us

    The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

    If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

    A Free Trial That Lets You Build Big!

    Start building with 50+ products and up to 12 months usage for Elastic Compute Service

    • Sales Support

      1 on 1 presale consultation

    • After-Sales Support

      24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.