The most comprehensive method to prevent SQL Injection

(1) mysql_real_escape_string -- escape special characters in the strings used in SQL statements, and take into account the usage of the connected current character set as follows:

$sql = "select count(*) as ctr from users where username='".mysql_real_escape_string($username)."' and password='". mysql_real_escape_string($pw)."' limit 1";

 

Using mysql_real_escape_string () as the package for user input can avoid any malicious SQL Injection in user input. (2) Enable magic_quotes_gpc to prevent SQL injection into php. in ini, magic_quotes_gpc = Off is disabled by default. If it is enabled, the user is automatically submitted to convert the SQL query, for example, converting ', it plays a major role in preventing SQL injection. If magic_quotes_gpc = Off, use addslashes () function (3) User-Defined Function

Function inject_check ($ SQL _str) {return eregi ('select | insert | and | or | update | delete | \ '| \/\ * | \. \. \/| \. \/| union | into | load_file | outfile ', $ SQL _str);} function verify_id ($ id = null) {if (! $ Id) {exit ('no submission parameter! ');} Elseif (inject_check ($ id) {exit ('the submitted parameter is invalid! ');} Elseif (! Is_numeric ($ id) {exit ('the submitted parameter is invalid! ') ;}$ Id = intval ($ id); return $ id;} function str_check ($ str) {if (! Get_magic_quotes_gpc () {$ str = addslashes ($ str); // filter} $ str = str_replace ("_", "\ _", $ str ); $ str = str_replace ("%", "\ %", $ str); return $ str;} function post_check ($ post) {if (! Get_magic_quotes_gpc () {$ post = addslashes ($ post);} $ post = str_replace ("_", "\ _", $ post ); $ post = str_replace ("%", "\ %", $ post); $ post = nl2br ($ post); $ post = htmlspecialchars ($ post ); return $ post ;}