Website out of the question, there is a loophole, today came here to ask Csdn's brother to help solve

Website problem, there is a loophole, today came here to ask Csdn's brother to help solve
I made a health supplement station http://www.bjp51.net these two days a bit of a problem, with 3,601 sweep, high-risk, only 49 points, the report is as follows:



The first one is a very serious problem, and today I want to solve the first problem.
Look at the comments given in 360


I do not know how to change, I hope you help solve the next.



------Solution--------------------
$id = ";
if (!empty ($_post[' id ')) {
for ($i =0; $i <>
$id= $id. ($_post[' ID' [$i]. ', ');
}
$id =substr ($id, 0,strlen ($id)-1);//Remove the back of the ","
}
$sql = "SELECT * from Zzcms_main where ID in ( $id)"

He thinks you're using incoming data in SQL instructions without checking.
------Solution--------------------
The principle of SQL injection is to inject from the Address bar or form


If you get a $_get["a" from the address bar, it is a threat to use the program directly without filtering it. Like what:

If $_get["a"]=1; then:
$sql = "SELECT * from AA where ID =$_get[" a "]"; is $sql = "SELECT * from AA where id = 1";
But if other people through the address bar self-modification, the value of $_get["a"] to 1 or (and) xxx All kinds of code, then this query statement becomes

$sql = "SELECT * from AA WHERE ID =1 or (and) xxx";


So the middle of the recruit.

So the address bar and the form gets the parameters, must be formatted, filtered well, specify what type, how long, which characters are limited ...
------Solution--------------------
$sql = "SELECT * from Zzcms_main where ID in ($id)";
$id did not go through the discard, the user can enter anything, and of course is injected.

Because the ID can only be a number, it is possible to use intval to convert to numbers, if the non-number will be converted to 0, this is not injected.
------Solution--------------------
The incoming data replaces the single quotation mark with two consecutive single quotes, and the SQL statement adds single quotation marks to the arguments that are passed in.
$id = Str_replace ("'", "'", $_post[' id '));
$sql = "SELECT * from Tb_user wher id= ' $id '";
This is not afraid of injecting.
------Solution--------------------

if (!empty ($_post[' id ')) {
  $id = Join (', ', Array_map (' intval ', $_post[' id ')));
}

Better put $id in a different name.

