PHP self-with several functions to prevent SQL injection

SQL injection attacks are the most common means by which hackers attack Web sites. If your site does not use a rigorous user input test, it is often vulnerable to SQL injection attacks. SQL injection attacks are usually implemented by submitting bad data or query statements to the site database, which can potentially expose, change, or delete records in the database.

In order to prevent SQL injection attacks, PHP has a function to handle the input string, you can at the lower level of the input on the security of the initial treatment, that is, magic quotes. (PHP.ini MAGIC_QUOTES_GPC). Opens by default, and if the MAGIC_QUOTES_GPC option is enabled, single quotes, double quotes, and other characters in the string you enter will be automatically added to the backslash.

However, Magic quotes is not a common solution that does not mask all potentially dangerous characters, and magic quotes is not enabled on many servers. So we also need to use a number of other ways to prevent SQL injection.

Many databases themselves provide this input data processing functionality. For example, PHP's MySQL operation functions include addslashes (), mysql_real_escape_string (), mysql_escape_string (), and so on, to escape special characters and characters that may cause errors in the database operation. So what's the difference between these three functional functions? Let's go into the details below.

Although many domestic PHP programmers are still relying on addslashes to prevent SQL injection, it is recommended that you strengthen the Chinese to prevent SQL injection inspection. The problem with addslashes is that hackers can use 0xbf27 instead of single quotes, and addslashes only modifies 0xbf27 to 0xbf5c27 as a valid multi-byte character, where the 0xbf5c is still considered single quotes, So addslashes cannot successfully intercept.

Of course, addslashes is also not useless, it is used for single-byte string processing, multibyte characters or use mysql_real_escape_string bar.

Also for examples of GET_MAGIC_QUOTES_GPC in the PHP manual:

if (!GET_MAGIC_QUOTES_GPC ()) {

$lastname = addslashes ($_post[' LastName '));

} else {

$lastname = $_post[' LastName '];

}

It is better to check the $_post[' LastName ' If the MAGIC_QUOTES_GPC is already open.

Again, the difference between the 2 functions of mysql_real_escape_string and mysql_escape_string:

Mysql_real_escape_string must be available in the case of (PHP 4 >= 4.3.0, PHP 5). Otherwise, only mysql_escape_string can be used, and the difference is that mysql_real_escape_string takes into account the current character set of the connection, and Mysql_escape_string does not consider it.

To sum up:

* Addslashes () is forcibly added;

* Mysql_real_escape_string () will judge the character set, but the PHP version is required;

* Mysql_escape_string does not consider the current character set of the connection.

The prevention of SQL injection in DZ is to use the Addslashes function, while in dthmlspecialchars this function there are some substitutions $string = Preg_replace (/& (# (D{3,5}X[A-FA-F0-9) {4});) /, &\1, this substitution solves the problem of injection, but also solves some problems of Chinese garbled