PHP.ini MAGIC_QUOTES_GPC Configuring the Anti-injection method (1/5) _php Tutorial

PHP Tutorial. ini MAGIC_QUOTES_GPC Configuration anti-injection method

1. The MAGIC_QUOTES_GPC option in PHP config file php.ini is not turned on and is set to off
2. The developer does not check and escape the data type
But in fact, the 2nd is the most important. I think that checking the type of data entered by the user and submitting the correct data type to the MySQL tutorial should be the most basic quality of a web programmer. But in reality, many small white web developers often forget this, causing the backdoor to open.
Why is 2nd the most important? Because without the 2nd guarantee, the MAGIC_QUOTES_GPC option, whether on or off, could trigger a SQL injection attack. Here's a look at the technology implementation:
One. MAGIC_QUOTES_GPC = off injection attack
MAGIC_QUOTES_GPC = Off is a very insecure option in PHP. The new version of PHP has changed the default value to ON. However, there are still quite a few options for the server to OFF. After all, the antique servers are also used by people.
When MAGIC_QUOTES_GPC = ON, it will add all the ' (single quotation marks), "(double number), (backslash), and white space characters in the submitted variable to the front automatically. The following is an official description of PHP:

Copy the code code as follows:
MAGIC_QUOTES_GPC Boolean

Sets the Magic_quotes state for GPC (Get/post/cookie) operations. When Magic_quotes is on, all ' (Single-quote), "(double quote), (backslash) and Nul ' s is escaped with a backslash autom Atically

If it is not escaped, that is off, it gives the attacker an advantage. Take the following test script as an example:
Copy the code code as follows:

if (Isset ($_post["F_login"))
{
Connect Database Tutorial ...
// ... Code slightly ...

Check if the user exists
$t _struname = $_post["F_uname"];
$t _strpwd = $_post["F_pwd"];
$t _strsql = "SELECT * from tbl_users where username= ' $t _struname ' and password = ' $t _strpwd ' limit 0,1 ';

if ($t _hres = mysql_query ($t _strsql))
{
Processing after a successful query. Slightly...
}
}
?>

Sample test

1 2 3) 4 5

http://www.bkjia.com/PHPjc/629727.html www.bkjia.com true http://www.bkjia.com/PHPjc/629727.html techarticle php Tutorial. ini MAGIC_QUOTES_GPC Configuration Anti-injection method 1. The MAGIC_QUOTES_GPC option in the PHP configuration file php.ini is not turned on and is set to OFF 2. The developer did not check the data type ...

