Home > Website Builders > Cloud Servers

PHP to prevent SQL statements to inject common methods: Filtering method

Source: Internet
Author: User
Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more >

PHP to prevent SQL statements to inject common methods: Filtering method

?
$id =$_get["id"];
$query = "SELECT * from my_table where id= '". $id. "'"; Injection vulnerability $result=mysql_query ($query);
It is clear that we can use injection to get the rest of the database.
You can use the following methods to prevent injection.
Inject the same, you can look at the previous black defense. Then let's look at the processing of the variable by the POST method:
$text 1=$_post["Text1"];
$text 2=$_post["Text2"];
$text 3=$_post["Text3"];
If these data can be directly written to the database, there will be a large loophole.

Vulnerability Resolution:
The solution to this vulnerability is simply to filter all the submitted variables strictly. Replace some sensitive characters. We can use the Htmlspecialchars () function provided by PHP to replace the content of HTML. Here is an example:
Constructing filter functions
function Flt_tags ($text)
{
$badwords =array ("Sensitive word 1", "sensitive word 2"); Vocabulary filter List Write down the words that you think are sensitive
$text =rtrim ($text);
foreach ($badwords as $badword)//The filtering of words here
{
if (Stristr ($text, $badword) ==true) {die (Error: The content you submitted contains sensitive words, please do not submit sensitive content.) "); }
}
$text =htmlspecialchars ($text); HTML replacement
These two lines replace the carriage return with the

$text =str_replace ("", "", $text);
$text =str_replace ("", "", $text);
$text =str_replace ("&line;", "│", $text); Text Database Separator "&line;" Replace with Full-width "│"
$text =preg_replace ("/s{2}/", "", $text); Space substitution
$text =preg_replace ("//", "", $text); or space replacement
if (GET_MAGIC_QUOTES_GPC ()) {$text =stripslashes ($text);///If Magic_quotes is turned on, replace
return $text;
}

$text 1=$_post["Text1"];
$text 2=$_post["Text2"];
$text 3=$_post["Text3"];

Filtered data
The above data is filtered, it can be used directly, basically is safe.

?>

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

  • Sales Support

    1 on 1 presale consultation

    Chat Contact Sales

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    Open a Ticket

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

    Learn More