Php Chinese network (www.php.cn) provides the most comprehensive basic tutorial on programming technology, introducing HTML, CSS, Javascript, Python, Java, Ruby, C, PHP, basic knowledge of MySQL and other programming languages. At the same time, this site also provides a large number of online instances, through which you can better learn programming... Reply content:
No injection without compilationTo prevent the submitted data from being compiled,
Parameter bindingThis is a method to prevent data submission from being compiled. With PDO or MySQLi, there are many convenient classes encapsulated.
For example, use PHP-PDO-MySQL-Class · GitHub
(This Class is similar to Python's MySQLdb), so it is safe:
query("SELECT * FROM fruit WHERE name IN (?)",array($_GET['pm1'],$_GET['pm2']));$DB->query("SELECT * FROM users WHERE name=? and password=?",array($_GET['name'],$_GET['pw']));?>
The best way to prevent SQL injection is to use the prepare and bind of PDO instead of assembling SQL commands and parameters by yourself.
The principle is to separate your SQL query command from the passed parameters:
> In prepare, the DB server parses your SQL statement into an SQL command.
> In bind mode, only SQL commands parsed by DB Server are passed dynamically.
All other whitelists such as filter special strings are flushed. to prevent SQL injection, use mysqli or PDO pre-compilation. If you use a framework, pay attention to how the framework is handled internally. This method of splicing SQL statements has long been a waste of history.
In addition, the pre-compilation of PDO has a bug. mysql _ * is called by default before 5.3.6. you need to set $ pdo-> setAttribute (PDO: ATTR_EMULATE_PREPARES, false );. Prepare & bind. To put it simply, for SQL injection of PHP programs, it is the most important method to filter the input and output data securely.
Of course, it is simple to say. it is really complicated. There are many details and factors to consider, including encoding, type, pre-and post-logic, etc. a careless handling will be self-defeating.
Therefore, to ensure program security as much as possible, the programmer must have a certain degree of security awareness and knowledge, and take the security factors into consideration from the underlying construction of the program.
I personally think that the domestic PHP Security circle is still quite high, and there are a lot of materials in all aspects. we recommend two websites with a lot of related information. if you are interested, refer to the following:
Http://80vul.com
Http://bbs.wolvez.org
Do not directly use external parameters. do not directly construct query statements or fill in parameters using statement. 1. do not enable the error display of Webserver in the production environment.
2. never trust the input of variables from the user end. variables with fixed formats must strictly check the corresponding formats, variables with no fixed format need to be filtered and escaped for special characters such as quotation marks.
3. use the pre-compiled SQL statement to bind the variable.
4. Manage Database account permissions.
5. Strictly encrypt and process users' confidential information.
SQL injection attack techniques and prevention for Web security 」. Two methods are provided: the Hungarian naming method and the injection test method.
Don't look down on Hungary's naming method. the intention of this product is not the same as what you think, just add the type name after the variable name. The real practice is: strings that are not filtered by escape are named according to your own habits. the strings after escape are appended with suffix similar to _ f or _ ss. When writing code, you will naturally require that all input strings be filtered.
Injection test is relatively simple: as a hacker, if an attack is required, multiple injection attempts will be performed. during this period, an invalid SQL statement can be constructed, an error is reported during execution. Write a database query function for encapsulation. if an invalid SQL statement is executed, send an alarm by email or other means.
Of course... Worried about SQL injection, they are all programmers who use concatenated strings for SQL queries. Normal programmers will find an ORM. The method I use is:
1. conduct security training for team members to find out the most common attack methods and guide the code blocking methods one by one
2. use reverse proxies such as nginx to filter url parameters, which can basically block 90% of attacks
3. set disk file height permissions
4. the script of the scheduled task periodically traverses the source code of the program (such as every hour) and searches for the program. generally, horizontal attacks cannot escape this troubleshooting.
5. automatically analyzes dangerous URLS filtered out by nginx, and blocks ip addresses that exceed the threshold from the firewall.
