Cause
On the one hand do not have this aspect of consciousness, some data has not been strictly verified, and then directly splicing SQL to query. Cause a vulnerability to occur, such as:
$id = $_get[' id ']; $sql = "Select name from users WHERE id = $id";
Because there is no data type validation for $_get[' ID ', the injector can submit any type of data, such as unsafe data such as "and 1= 1 or". If you write in the following way, it's safer.
$id = Intval ($_get[' id "); $sql = "Select name from users WHERE id = $id";
By converting the ID into an int type, you can get rid of unsafe things.
Validating data
The first step in preventing injection is validating the data, which can be rigorously validated against the appropriate type. For example, the int type can be converted directly to the intval:
$id =intval ($_get[' id ');
Character processing is more complex, first through the SPRINTF function format session output, to ensure that it is a string. Then some illegal characters are removed through some security functions, such as:
$str = Addslashes (sprintf ("%s", $str)); You can also replace addslashes with the mysqli_real_escape_string functionThis will be more secure after processing. Of course, you can further determine the length of the string to prevent " buffer overflow attacks " such as:
$str = Addslashes (sprintf ("%s", $str)); $str = substr ($str, 0,40); Maximum length is 40Parameterized bindings
A parameterized binding that prevents another barrier to SQL injection. PHP mysqli and PDO provide this functionality. For example, mysqli can query this way:
$mysqli = new mysqli (' localhost ', ' my_user ', ' My_password ', ' world '); $stmt = $mysqli->prepare ("INSERT into Countrylanguage VALUES (?,?,?,?) "); $code = ' DEU '; $language = ' Bavarian '; $official = "F"; $percent = 11.2; $stmt->bind_param (' SSSD ', $code, $language, $offi cial, $percent);PDO is more convenient, such as:
/* Execute A prepared statement by passing an array of values */$sql = ' SELECT name, colour, calories from fruit W Here calories <: calories and colour =: colour '; $sth = $dbh->prepare ($sql, array (pdo::attr_cursor = pdo::cursor_fwdonly)); $sth->execute (Array (': Calories ' = ": Colour ' + ' red '); $red = $sth->fetchall (); $sth->execute (': Calories ' = 175, ': Colour ' =& Gt ' Yellow '); $yellow = $sth->fetchall ();function prepare ($query, $args) {if (Is_null ($query)) return; This isn't meant to being foolproof--but it'll catch obviously incorrect usage. if (Strpos ($query, '% ') = = = = False) {_doing_it_wrong (' wpdb::p repare ', sprintf (' The query argument of %s must has a placeholder. '), ' wpdb::p repare () '), ' 3.9 '); } $args = Func_get_args (); Array_shift ($args); If args were passed as an array (as in vsprintf), move them up if (isset ($args [0]) && is_array ($args [0]) ) $args = $args [0]; $query = Str_replace ("'%s '", '%s ', $query); In case someone mistakenly already singlequoted it $query = Str_replace (' "%s" ', '%s ', $query); Doublequote unquoting $query = preg_replace (' | (?
Summarize
Security is important, you can also see a person's basic skills, the project is flawed, extensibility and maintainability is no good. Usually pay more attention, establish a sense of safety, cultivate a habit, some basic security will certainly not occupy the time with coding. Develop this habit, even in the project urgency, short time situation, can still do high quality. Don't wait for the things that you are responsible for later, the database is taken away, causing the loss to be valued. Share!
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
