: This article mainly introduces PHP's built-in function analysis to prevent SQL injection. if you are interested in the PHP Tutorial, please refer to it. SQL
Injection AttacksIt is the most common method for hackers to attack websites. If your site does not use strict user input check, it is often vulnerable to SQL
Injection Attacks. SQL
Injection AttacksIt is usually implemented by submitting bad data or query statements to the site database, which may expose, change, or delete records in the database.
To prevent SQLInjection AttacksPHP comes with a function that can process input strings and perform initial security processing on input at a lower level, that is, Magic Quotes. (Php. ini magic_quotes_gpc ). If the magic_quotes_gpc option is enabled, the single quotation marks, double quotation marks, and other characters in the input string are automatically prefixed with a backslash /.
However, Magic Quotes is not a common solution. it does not block all potentially dangerous characters and Magic Quotes is not enabled on many servers. Therefore, we also need to use other methods to preventSQL injection.
Many databases provide such input data processing functions. For example, MySQL operation functions in PHP include addslashes (), mysql_real_escape_string (), mysql_escape_string (), etc.Special charactersEscape characters that may cause database operation errors. So what are the differences between the three function functions? The following is a detailed description.
Although there are manyPHP programmersStill relying on addslashes to preventSQL injectionWe recommend that you enhance Chinese protection.SQL injection. The problem with addslashes is that hackers can use 0xbf27 to replace single quotes, while addslashes only changes 0xbf27 to 0xbf5c27 to a valid multi-byte character, where 0xbf5c is still considered as single quotes, therefore, addslashes cannot be intercepted.
Of course, addslashes is not useless either. it is used for processing single-byte strings and mysql_real_escape_string is used for multi-byte characters.
In addition, the example of get_magic_quotes_gpc in the php Manual is as follows:
if (!get_magic_quotes_gpc()) { $lastname = addslashes($_POST[‘lastname’]);} else { $lastname = $_POST[‘lastname’];}
If magic_quotes_gpc is enabled, check $ _ POST ['lastname.
Let's talk about the differences between the two functions mysql_real_escape_string and mysql_escape_string:
Mysql_real_escape_string can be used only when (PHP 4> = 4.3.0, PHP 5. Otherwise, only mysql_escape_string can be used. The difference between mysql_real_escape_string and mysql_escape_string is not considered because of the current character set to be connected.
Summary:
- Addslashes () is forced to add /;
- Mysql_real_escape_string () will judge the character set, but there are requirements for the PHP version;
- Mysql_escape_string does not consider the connected current character set.
Dz preventionSQL injectionThe addslashes function is used, also in the dthmlspecialchars function, some replace $ string = preg_replace ('/& (# (/d {} | x [a-fA-F0-9] {4 }));) /',' & // 1', which solves the injection problem and Chinese garbled characters.
Http://blog.csdn.net/hellollx/article/details/5399760
The above introduces PHP's built-in function analysis for preventing SQL injection, including some content. I hope to help some friends who are interested in PHP tutorials.