Using PHP functions to solve SQL injection_php basics

Source: Internet
Author: User
Tags sql injection

SQL injection problems in the ASP but noisy  of course there are many well-known domestic and foreign PHP program "died". As for the details of the SQL injection, there are too many articles on the web, not to be introduced here.
If the MAGIC_QUOTES_GPC in the php.ini file of your Web site is set to OFF, PHP will not precede the sensitive character with a backslash (\), resulting in a SQL injection vulnerability because the form submits content that might contain sensitive characters such as single quotes ('). In this case, we can use Addslashes () to solve the problem, it will automatically add a backslash before the sensitive characters.
However, the above method only applies to magic_quotes_gpc=off situations. As a developer, you don't know if each user's MAGIC_QUOTES_GPC is on or off, and if you put all the data on addslashes (), isn't that "killing innocents"? If Magic_quotes_gpc=on, and then use the Addslashes () function, let's take a look at: <?php
If a variable $_post[' message ' is submitted from the form, the content is Tom's book
This adds the code to connect the MySQL database, write it Yourself
Add a backslash to the sensitive character of the $_post[' message '
$_post[' message '] = addslashes ($_post[' message '));

Because of Magic_quotes_gpc=on, so again before the sensitive character with a backslash
$sql = "INSERT into msg_table VALUE (' $_post[message] ');";

Send the request, save the content to the database
$query = mysql_query ($sql);

If you extract this record from the database and output it, you will see the tom\ ' s book
?>

In this case, in the Magic_quotes_gpc=on environment, all the input single quotes (') will become (\) ...
In fact, we can use the GET_MAGIC_QUOTES_GPC () function to solve this problem easily. When Magic_quotes_gpc=on, the function returns true; when Magic_quotes_gpc=off, returns false. So far, there must have been a lot of people who realize that the problem has been solved. See Code: <?php
If Magic_quotes_gpc=off, then the sensitive character alphanumeric backslash in the $_post[' message ' that is submitted for the bill of lading
In the case of Magic_quotes_gpc=on, it does not add
if (!GET_MAGIC_QUOTES_GPC ()) {
$_post[' message '] = addslashes ($_post[' message '));
} else {}
?>
In fact, the problem has been solved. Here's a little trick to say.
Sometimes the form submits more than one variable, possibly more than 10 or dozens of. Is it a bit troublesome to copy/paste addslashes () Once a time? Because the data obtained from the form or URL is an array, such as $_post, $_get,  then customize a function that can be "annihilation": <?php
function quotes ($content)
{
If Magic_quotes_gpc=off, then start processing
if (!GET_MAGIC_QUOTES_GPC ()) {
To determine whether $content is an array
if (Is_array ($content)) {
If the $content is an array, then deal with each of its single without
foreach ($content as $key => $value) {
$content [$key] = addslashes ($value);
}
} else {
If $content is not an array, it is only handled once
Addslashes ($content);
}
} else {
If magic_quotes_gpc=on, then do not deal with
}
Back to $content
return $content;
}
?>


Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.