Solving SQL injection with PHP functions

SQL injection problems in the ASP but noisy, of course, there are many well-known domestic and foreign PHP program "died". As for the details of the SQL injection, there are too many articles on the web, not to be introduced here.

If the MAGIC_QUOTES_GPC in the php.ini file of your Web site is set to OFF, PHP will not precede the sensitive character with a backslash (\), resulting in a SQL injection vulnerability because the form submits content that might contain sensitive characters such as single quotes ('). In this case, we can use Addslashes () to solve the problem, it will automatically add a backslash before the sensitive characters.

However, the above method only applies to magic_quotes_gpc=off situations. As a developer, you don't know if each user's MAGIC_QUOTES_GPC is on or off, and if you put all the data on addslashes (), isn't that "killing innocents"? If Magic_quotes_gpc=on, and then use the Addslashes () function, let's take a look at:

<?php
//如果从表单提交一个变量$_POST['message']，内容为 Tom's book
//这此加入连接MySQL数据库的代码，自己写吧
//在$_POST['message']的敏感字符前加上反斜杠
$_POST['message'] = addslashes($_POST['message']);
　　//由于magic_quotes_gpc=On，所以又一次在敏感字符前加反斜杠
$sql = "INSERT INTO msg_table VALUE('$_POST[message]');";
　　//发送请求，把内容保存到数据库内
$query = mysql_query($sql);
　　//如果你再从数据库内提取这个记录并输出，就会看到 Tom\'s book
?>

In this case, in the Magic_quotes_gpc=on environment, all the entered single quotes (\ ') will become (') ...

In fact, we can use the GET_MAGIC_QUOTES_GPC () function to solve this problem easily. When Magic_quotes_gpc=on, the function returns true; when Magic_quotes_gpc=off, returns false. So far, there must have been a lot of people who realize that the problem has been solved. Please look at the code:

<?php
//如果magic_quotes_gpc=Off，那就为提单提交的$_POST['message']里的敏感字符加反斜杠
//magic_quotes_gpc=On的情况下，则不加
if (!get_magic_quotes_gpc()) {
$_POST['message'] = addslashes($_POST['message']);
} else {}
?>

In fact, the problem has been solved. Here's a little trick to say.

Sometimes the form submits more than one variable, possibly more than 10 or dozens of. Is it a bit troublesome to copy/paste addslashes () Once a time? Because the data obtained from the form or URL is in an array, such as $_post, $_get,  then customize a function that can be "annihilation":

<?php
function quotes($content)
{
//如果magic_quotes_gpc=Off，那么就开始处理
if (!get_magic_quotes_gpc()) {
//判断$content是否为数组
if (is_array($content)) {
//如果$content是数组，那么就处理它的每一个单无
foreach ($content as $key=>$value) {
$content[$key] = addslashes($value);
}
} else {
//如果$content不是数组，那么就仅处理一次
addslashes($content);
}
} else {
//如果magic_quotes_gpc=On，那么就不处理
}
//返回$content
return $content;
}
?>