Php prevents SQL injection and instance code

Php prevents SQL injection and instance code

Prevention of SQL injection by php is a very important security measure. An excellent php programmer must be able to write code smoothly and keep the program in a secure environment. Today, we will explain how php can prevent SQL injection. Speaking of website security, you have to mention SQL injection. if you have used asp, you must have a deep understanding of SQL injection. php is relatively secure, this is because versions earlier than MySQL 4 do not support substatements, and when php. when magic_quotes_gpc in ini is on. All '(single quotation marks), "(double quotation marks), \ (backslash) and null characters in the submitted variables are automatically converted to escape characters containing the backslash, it brings a lot of trouble to SQL injection. Please see clearly: "troublesome ~ This does not mean that php prevents SQL injection. The book describes how to use the encoding of injection statements to bypass escape. for example, convert an SQL statement into ascii code (for example, char (92,108,111, 108,104,111,115,116 ...) This format), or convert it to hexadecimal encoding, or even other forms of encoding. as a result, escape filtering has been bypassed. how can we prevent it: A. open magic_quotes_gpc or use the addslashes () function in the new version of php. even if magic_quotes_gpc is enabled, the addslashes () function will not conflict with each other, but in order to achieve better version compatibility, we recommend that you check the magic_quotes_gpc status before using the transfer function, or directly turn it off. The code is as follows: php code to prevent SQL injection // Remove escape characters Function stripslashes_array ($ array ){ If (is_array ($ array )){ Foreach ($ array as $ k => $ v ){ $ Array [$ k] = stripslashes_array ($ v ); } } Else if (is_string ($ array )){ $ Array = stripslashes ($ array ); } Return $ array; } @ Set_magic_quotes_runtime (0 ); // Determine the magic_quotes_gpc status If (@ get_magic_quotes_gpc ()){ $ _ Get = stripslashes_array ($ _ get ); $ _ Post = stripslashes_array ($ _ post ); $ _ Cookie = stripslashes_array ($ _ cookie ); } Use the addslashes function after escaping magic_quotes_gpc. the code is as follows: php code for preventing SQL injection $ Keywords = addslashes ($ keywords ); $ Keywords = str_replace ("_", "\ _", $ keywords); // Escape "_" $ Keywords = str_replace ("%", "\ %", $ keywords); // Escape "%" The next two str_replace replace escape characters are used to prevent hackers from converting the SQL code for attacks. B. Force character format (type). many times we need to use a format similar to xxx. php? In general, $ id is an integer variable for URLs like id = xxx. to prevent attackers from tampering $ id into an attack statement, we need to force variables as much as possible. The code is as follows: php code to prevent SQL injection $ id = intval ($ _ get ['id']); of course, there are other variable types, if necessary, try to force the format. C. It is easy to enclose variables with quotation marks in SQL statements, but it is also easy to get used to. let's take a look at these two SQL statements: Select * from article where articleid = '$ ID' Select * from article where articleid = $ id The two writing methods are common in various programs, but the security is different. The first sentence is to put the variable $ id in a pair of single quotes, so that all the variables we submit become strings, even if a correct SQL statement is included, the statement will not be executed normally, but the second sentence is different. because the variable is not put into single quotes, everything we submit, as long as it contains spaces, the variables after spaces are executed as SQL statements. Therefore, we need to develop the habit of adding quotation marks to the variables in SQL statements. D. url pseudo-static, that is, url rewriting technology, such as discuz! In the same way, all URLs are rewriteinto the xxx-xxx-x.html format, which is beneficial to seo and achieves certain security. it is also a good way. However, to prevent SQL injection in php, you must have a regular expression.