Home > Website Builders > Cloud Servers

PHP to prevent SQL statements to inject common methods: Filtering method

Source: Internet
Author: User
Keywords Web Programming PHP Tutorials
Tags clear common methods content data get it is mysql_query php
Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more >

PHP to prevent SQL statements to inject common methods: Filtering method

?
$id =$_get["id"];
$query = "SELECT * from my_table where id= '". $id. "'"; Injection vulnerability $result=mysql_query ($query);
It is clear that we can use injection to get the rest of the database.
You can use the following methods to prevent injection.
Inject the same, you can look at the previous black defense. Then let's look at the processing of the variable by the POST method:
$text 1=$_post["Text1"];
$text 2=$_post["Text2"];
$text 3=$_post["Text3"];
If these data can be directly written to the database, there will be a large loophole.

Vulnerability Resolution:
The solution to this vulnerability is simply to filter all the submitted variables strictly. Replace some sensitive characters. We can use the Htmlspecialchars () function provided by PHP to replace the content of HTML. Here is an example:
Constructing filter functions
function Flt_tags ($text)
{
$badwords =array ("Sensitive word 1", "sensitive word 2"); Vocabulary filter List Write down the words that you think are sensitive
$text =rtrim ($text);
foreach ($badwords as $badword)//The filtering of words here
{
if (Stristr ($text, $badword) ==true) {die (Error: The content you submitted contains sensitive words, please do not submit sensitive content.) "); }
}
$text =htmlspecialchars ($text); HTML replacement
These two lines replace the carriage return with the

$text =str_replace ("", "", $text);
$text =str_replace ("", "", $text);
$text =str_replace ("&line;", "│", $text); Text Database Separator "&line;" Replace with Full-width "│"
$text =preg_replace ("/s{2}/", "", $text); Space substitution
$text =preg_replace ("//", "", $text); or space replacement
if (GET_MAGIC_QUOTES_GPC ()) {$text =stripslashes ($text);///If Magic_quotes is turned on, replace
return $text;
}

$text 1=$_post["Text1"];
$text 2=$_post["Text2"];
$text 3=$_post["Text3"];

Filtered data
The above data is filtered, it can be used directly, basically is safe.

?>

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

Related Keywords:
how to inject sql injection in website how to sql inject any website how to sql inject a site code to prevent sql injection common sql statements how to mysql inject prevent sql injection php
Related Article
A collection of sophisticated SQL statement techniques
3 Steps to address SQL injection pitfalls
SQL Optimization Experience Summary 34
Search results sorted by matching fields

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

Hot Article
Hot Tags
computing conference access forum computer class data get http html applications
Popular Keywords
direct digital landing development documentation data user director of marketing deploy it ddos how to description of products and services ddos information data website domain to dns

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

  • Sales Support

    1 on 1 presale consultation

    Chat Contact Sales

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    Open a Ticket

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

    Learn More