The most comprehensive method to prevent SQL injection

(1) mysql_real_escape_string -- escape special characters in the strings used in SQL statements, and take into account the connected current character set & amp; nbsp; usage: $ SQL = & quot; selectco

(1) mysql_real_escape_string -- escape special characters in strings used in SQL statements and take into account the connected current character set

The usage is as follows:

$sql = "select count(*) as ctr from users where username='".mysql_real_escape_string($username)."' and password='". mysql_real_escape_string($pw)."' limit 1";

 

Usemysql_real_escape_string()As a package for user input, it can avoid any malicious SQL injection in user input.

(2) enable magic_quotes_gpc to prevent SQL injection.

One setting in php. ini is magic_quotes_gpc = Off.
This is disabled by default. if it is enabled, it will automatically convert the SQL query submitted by the user,
For example, converting 'to \' has a major role in preventing SQL injection.

If magic_quotes_gpc = Off, use the addslashes () function

(3) user-defined functions

 

Function inject_check ($ SQL _str) {return eregi ('select | insert | and | or | update | delete | \ '| \/\ * | \. \. \/| \. \/| union | into | load_file | outfile ', $ SQL _str);} function verify_id ($ id = null) {if (! $ Id) {exit ('no submission parameter! ');} Elseif (inject_check ($ id) {exit ('The submitted parameter is invalid! ');} Elseif (! Is_numeric ($ id) {exit ('The submitted parameter is invalid! ') ;}$ Id = intval ($ id); return $ id;} function str_check ($ str) {if (! Get_magic_quotes_gpc () {$ str = addslashes ($ str); // filter} $ str = str_replace ("_", "\ _", $ str ); $ str = str_replace ("%", "\ %", $ str); return $ str;} function post_check ($ post) {if (! Get_magic_quotes_gpc () {$ post = addslashes ($ post);} $ post = str_replace ("_", "\ _", $ post ); $ post = str_replace ("%", "\ %", $ post); $ post = nl2br ($ post); $ post = htmlspecialchars ($ post ); return $ post ;}