PHP to prevent the specific method of SQL injection (test pass) _php tips

A good PHP programmer in addition to the smooth writing code, but also need to make the program in a safe environment of the ability. Today we're going to talk about how PHP is preventing SQL injection.

When it comes to site security, you have to mention SQL injection (SQL injection), if you use ASP, there must be a deep understanding of SQL injection, PHP security is relatively high, because the MYSQL4 the following version does not support the child statements, and when PHP.ini magic_ When QUOTES_GPC is on.

All of the "(single quotes)" (double quotes) in the submitted variable, the (backslash) and null characters are automatically converted to escape characters that contain backslashes, causing a lot of trouble with SQL injection.

Please see clearly: "Trouble" only ~ this does not mean that PHP is preventing SQL injection, and it mentions the use of the encoding to change the injection statement to bypass the escaping method, such as converting the SQL statement into ASCII encoding (similar to: char ( 100,58,92,108,111,99,97,108,104,111,115,116 ...) Such a format), or into the 16 encoding, and even other forms of coding, so that the escape filter has been around, then how to guard against it:

A Open MAGIC_QUOTES_GPC or use the addslashes () function

In the new version of PHP, even if the MAGIC_QUOTES_GPC open, and then use the Addslashes () function, there will be no conflict, but for better implementation of version compatibility, it is recommended to use the transfer function before the detection of the MAGIC_QUOTES_GPC state, or directly off, The code is as follows:

PHP to prevent SQL injection code

Copy Code code as follows:

Remove escape characters
function Stripslashes_array ($array) {
if (Is_array ($array)) {
foreach ($array as $k => $v) {
$array [$k] = Stripslashes_array ($v);
}
else if (is_string ($array)) {
$array = Stripslashes ($array);
}
return $array;
}
@set_magic_quotes_runtime (0);
Judge the state of MAGIC_QUOTES_GPC
if (@get_magic_quotes_gpc ()) {
$_get = Stripslashes_array ($_get);
$_post = Stripslashes_array ($_post);
$_cookie = Stripslashes_array ($_cookie);
}

After removing the MAGIC_QUOTES_GPC escape, use the Addslashes function as follows:

PHP to prevent SQL injection code

Copy Code code as follows:

$keywords = Addslashes ($keywords);
$keywords = Str_replace ("_", "\_", $keywords);//Escape "_"
$keywords = str_replace ("%", "\%", $keywords);//Escape "%"

The latter two str_replace replace the escape purpose to prevent hackers from converting SQL code to attack.

b Force character format (type)

In many cases we want to use a similar URL like xxx.php?id=xxx, in general $id are integer variables, in order to prevent the attackers to tamper with the $id to attack statements, we should try to coerce variables, the code is as follows:

PHP to prevent SQL injection code

$id =intval ($_get[' id '));

Of course, there are other variable types, and if necessary, try to force the format.

C Include variable quotes in SQL statements

It's simple, but it's easy to get used to it, and take a look at these two SQL statements first:

SQL code

Copy Code code as follows:

SELECT * from article WHERE articleid= ' $id '
SELECT * from article WHERE articleid= $id

Both types of writing are common in a variety of programs, but security is different, the first sentence because the variable $id placed in a pair of single quotes, so that we have submitted variables into a string, even if the correct SQL statements, and will not execute normally, and the second sentence is different, because the variable is not placed in single quotes, All we have to submit, as long as there is a space, that the space after the variable will be executed as an SQL statement, so we have to make the SQL statements in the habit of quoting variables.

Pseudo-Static of D.url

URL pseudo-static is also URL rewrite technology, like discuz! The same, all URLs are rewrite into similar xxx-xxx-x.html format, not only for SEO, but also to achieve a certain degree of security, but also a good way. But to implement PHP to prevent SQL injection, the prerequisite is that you have a certain "regular" basis.