Reply content:
No compilation, no injection .To prevent the data being submitted to be compiled.
parameter Bindingis to avoid the method of submitting data being compiled. With PDO or mysqli, there are many handy classes that are packaged well.
For example, using Php-pdo-mysql-class GitHub
(This class uses Python-like mysqldb), which is safe:
$DB -Query("SELECT * from fruit the WHERE name in (?)",Array($_get[' PM1 '],$_get[' PM2 ']));$DB -Query("SELECT * from users WHERE name=? and password=? ",Array($_get[' name '],$_get[' PW ']));?>
The best way to prevent SQL injection is to never assemble SQL commands and parameters, but to use PDO's prepare and bind.
The principle is to separate your SQL query commands from the arguments passed:
> Prepare, DB Server parses your SQL statements into SQL commands.
> Bind, it's just a dynamic argument to the DB server parsed SQL command.
All other filters for special strings This white list is a floating cloud. Just to prevent SQL injection, use MYSQLI or PDO pre-compilation. If you use a frame, be aware of what is being handled within the framework. Splicing SQL Statements This practice is long overdue in the history of the garbage heap.
In addition, the pre-compilation of PDO has a bug, before 5.3.6 will be called by default mysql_* for stitching, need to set $pdo->setattribute (Pdo::attr_emulate_prepares, false);. Prepare && bind a bit. Simply put, for the SQL injection of the PHP program, it is the most important method to filter the input and output data safely.
Of course, it is simple, really to do very complex, to consider a lot of details and factors, including coding, type, logic, and so on, a deal inadvertently, but will be self-defeating.
Therefore, to achieve the security of the program as far as possible, requires a programmer with a certain degree of security awareness and knowledge, from the bottom of the program to build on the security factor into account.
Personally, the level of the domestic PHP security circle is quite high, the information is also many, recommended two sites, there are a lot of relevant information, interested can refer to learning under:
/ http 80vul.com
/ http bbs.wolvez.org
Can not directly use foreign parameters, do not directly construct query statements, using statement for parameter filling and so on 1, do not arbitrarily open the production environment webserver error display.
2, never trust the variable input from the user side, there are fixed-format variables must strictly check the corresponding format, no fixed-format variables need to quote special characters such as the necessary filtering escape.
3. Use a precompiled SQL statement that binds the variable.
4, do a good job of database account rights management.
5, strict encryption process the user's confidential information.
SQL injection attack techniques and precautions from "web security". Give two methods, Hungarian nomenclature, injection attempt detection
Don't look down on the Hungarian nomenclature, the goods are not meant for you as fools. Add the type name after the variable name. The real practice is: Do not do escape filter string command According to your own custom name, escape string plus similar _f or _ss such as suffix. When you write code, you will naturally require the incoming string to be filtered.
Injection attempt detection is relatively simple: as a hacker, if you need to attack, will be a number of injection attempts, the period is almost certain to construct an invalid SQL statement, execution will be error. Write a database of the query function to encapsulate, if found to execute invalid SQL statement by mail or other forms of alarm.
Of course... Worry about SQL injection, is the use of stitching strings to do SQL query of the Clay turtle programmer. The normal programmer will go for an ORM. The approach I'm using is:
1. Conduct security training for team members to identify the most common attack methods to guide the code within the blocking method
2. Using a reverse proxy such as Nginx URL parameter filtering, basically can block 90% of attacks
3. Set the disk file with a high level of permission
4. The script of the scheduled task performs a traversal search on the program source code periodically (for example, hourly), and the general level of attack will not escape this troubleshooting.
5. Automatic analysis of the dangerous URL of nginx filter, for IP Direct firewall shield exceeding the threshold value
