search
HomeBackend DevelopmentPHP Tutorialaddslashes and other methods of clearing spaces are unsafe, addslashes spaces_PHP tutorial

addslashes and other methods of clearing spaces are unsafe, addslashes spaces

are unsafe, partly because there are so many spaces in the characters, for example "The problem with addslashes is that hackers can use 0xbf27 instead of single quotes, and addslashes just changes 0xbf27 to 0xbf5c27, which becomes a valid multi-byte character. 0xbf5c is still regarded as a single quote, so addslashes cannot successfully intercept. "

It is best to verify whether it is int or not according to the specific parameter requirements, plus the parameter operation method of the database. In fact, this is a SQL problem of the database, which should be solved from the source database itself, but some databases provide corresponding It’s just a method.

------------------------------------------------- ---

Differences in several built-in functions of PHP to prevent SQL injection attacks
2010-12-24 13:09:22

SQL injection attack is the most common method used by hackers to attack websites. If your site does not use strict user input validation, it is often vulnerable to SQL injection attacks. SQL injection attacks are usually implemented by submitting bad data or query statements to the site database, which may cause records in the database to be exposed, changed or deleted.

In order to prevent SQL injection attacks, PHP comes with a function that can process the input string and perform preliminary security processing on the input at the lower level, that is, Magic Quotes. (php.ini magic_quotes_gpc). If the magic_quotes_gpc option is enabled, single quotes, double quotes, and other characters in the input string will be automatically preceded by backslashes.

But Magic Quotes is not a very universal solution, it does not block all potentially dangerous characters, and Magic Quotes is not enabled on many servers. Therefore, we also need to use various other methods to prevent SQL injection.

Many databases themselves provide this input data processing function. For example, PHP's MySQL operation functions include addslashes(), mysql_real_escape_string(), mysql_escape_string() and other functions, which can escape special characters and characters that may cause database operation errors. So what are the differences between these three functional functions? Let’s talk about it in detail below.

Although many domestic PHP programmers still rely on addslashes to prevent SQL injection, it is recommended that everyone strengthen checks to prevent SQL injection in Chinese. The problem with addslashes is that hackers can use 0xbf27 instead of single quotes, while addslashes only changes 0xbf27 to 0xbf5c27, which becomes a valid multi-byte character. 0xbf5c is still regarded as a single quote, so addslashes cannot successfully intercept.

Of course, addslashes is not useless. It is used for processing single-byte strings. For multi-byte characters, use mysql_real_escape_string.

In addition, for the example of get_magic_quotes_gpc in the php manual:
if (!get_magic_quotes_gpc()) {
$lastname = addslashes($_POST['lastname']);
} else {
$lastname = $_POST['lastname'];
}
It is best to check $_POST['lastname'] when magic_quotes_gpc is already open.

Let’s talk about the difference between the two functions mysql_real_escape_string and mysql_escape_string:
mysql_real_escape_string must be used in (PHP 4 >= 4.3.0, PHP 5). Otherwise, you can only use mysql_escape_string. The difference between the two is: mysql_real_escape_string takes into account the current character set of the connection, while mysql_escape_string does not.

To summarize:

* addslashes() is a forced addition;
* mysql_real_escape_string() will determine the character set, but there are requirements for the PHP version;
* mysql_escape_string does not consider the connection the current character set.

The way to prevent sql injection in dz is to use the addslashes function. At the same time, some replacements are made in the dthmlspecialchars function $string = preg_replace(/&(((#(d{3,5}|x[a- fA-F0-9]{4}));)/, &1, This replacement solves the injection problem and also solves some problems with Chinese garbled characters

www.bkjia.comtruehttp: //www.bkjia.com/PHPjc/1099424.htmlTechArticleaddslashes and other methods of clearing spaces are unsafe, addslashes and other methods of clearing spaces are unsafe, part The reason is because there are a lot of spaces in the characters, such as "addslash...
Statement
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn
如何在 Windows 11 中清除桌面背景最近的图像历史记录如何在 Windows 11 中清除桌面背景最近的图像历史记录Apr 14, 2023 pm 01:37 PM

<p>Windows 11 改进了系统中的个性化功能,这使用户可以查看之前所做的桌面背景更改的近期历史记录。当您进入windows系统设置应用程序中的个性化部分时,您可以看到各种选项,更改背景壁纸也是其中之一。但是现在可以看到您系统上设置的背景壁纸的最新历史。如果您不喜欢看到此内容并想清除或删除此最近的历史记录,请继续阅读这篇文章,它将帮助您详细了解如何使用注册表编辑器进行操作。</p><h2>如何使用注册表编辑

mysql空格表示什么mysql空格表示什么Jul 20, 2023 pm 05:17 PM

mysql空格是一种特殊字符,用于分隔关键字、标识符、值以及其他语句元素,空格可以在SQL语句中的多个位置使用,并且通常不会影响语句的执行。空格的用途:1、用于分隔关键字和标识符;2、用于分隔运算符和值;3、用于分隔函数、列和表别名;4、用于缩进和对齐。

手机中病毒怎么彻底清除 推荐手机中病毒处理方法手机中病毒怎么彻底清除 推荐手机中病毒处理方法Feb 29, 2024 am 10:52 AM

手机在感染了某种木马病毒后,通过杀毒软件是无法发现查杀的,这个原理就像电脑感染了某种顽固病毒一样,只能通过格式化C盘重装系统,才能将病毒彻底清理掉,那么接下来我就讲解一下手机感染顽固病毒后,彻底清理病毒的方法。方法一打开手机依次点击“设置”-其他设置“-”还原手机“,将手机恢复至出厂设置即可。注意:恢复出厂设置前要先备份手机里面的重要资料,出厂设置就等同于电脑的”格式化重装系统一样“,恢复完之后手机里面的资料将会清空。方法二(1)首先将手机关机,然后同时按住手机“电源键”+“音量+键或音量-键”

如何在 Windows 11 中清除保护历史记录:2种方法如何在 Windows 11 中清除保护历史记录:2种方法Apr 23, 2023 am 08:04 AM

当您的PC存储空间不足时,您可以立即查看许多文件夹以释放空间。其中一个消耗很大一部分的是WindowsDefender保护历史记录,但你可以在Windows11中清除它吗?尽管并非完全必要,但删除保护历史记录实际上有助于清除系统上的一些存储空间。对于某些用户来说,这些文件占用了20-25GB的空间,如果您的计算机存储空间不足,这可能会令人生畏。那么,让我们找出什么是保护历史记录,在Windows11中清除它的所有方式,以及如何将其配置为在设置的时间后自动清除。什么是保护历史?M

如何释放WPS云文档空间如何释放WPS云文档空间Feb 24, 2024 pm 06:12 PM

WPS云文档空间满了怎么清除随着云技术的快速发展,越来越多的人开始使用云端存储来存储和管理自己的文件。其中,WPS云文档作为一款智能办公软件,备受用户喜爱。然而,随着使用时间的增长和文件的累积,WPS云文档的存储空间可能会被占满。那么,当WPS云文档的空间满了时,我们应该如何清除呢?接下来,将为大家介绍一些常用的清理方法。第一种方法是彻底删除不需要的文件。W

如何在C语言中清除控制台?如何在C语言中清除控制台?Sep 23, 2023 pm 09:57 PM

有几种方法可以清除控制台或输出屏幕,其中之一是clrscr()函数。它在调用函数时清除屏幕。它在“conio.h”头文件中声明。还有一些其他方法,如system("cls")和system("clear"),它们在“stdlib.h”头文件中声明。以下是在C语言中清除控制台的语法:clrscr();ORsystem(“cls”);ORsystem(“clear”);以下是一个用

vue怎么替换空格vue怎么替换空格Dec 22, 2022 am 09:40 AM

vue实现替换空格的方法:1、创建一个vue示例文件;2、通过正则表达式“string = string.replace(/\s/g," ");”替换所有的空格;3、通过“console.log(string);”输出替换后的字符串即可。

在Python中清除LRU缓存在Python中清除LRU缓存Sep 10, 2023 pm 12:57 PM

Inthisarticle,wewilllearnhowtoclearanLRUcacheimplementedinPython.Beforewedivedeepintothecodingaspect,let'sexplorealittleaboutwhatanLRUcacheisandwhyitispopular.LRUCache,也被称为最近最少使用缓存,是一种在计算机科学中广泛使用的数据结构,通过减少访问频繁使用的数据所需的时间来提高应用程序的性能。LRUCache存储了有限数量的项目,并

See all articles

Hot AI Tools

Undresser.AI Undress

Undresser.AI Undress

AI-powered app for creating realistic nude photos

AI Clothes Remover

AI Clothes Remover

Online AI tool for removing clothes from photos.

Undress AI Tool

Undress AI Tool

Undress images for free

Clothoff.io

Clothoff.io

AI clothes remover

AI Hentai Generator

AI Hentai Generator

Generate AI Hentai for free.

Hot Article

R.E.P.O. Energy Crystals Explained and What They Do (Yellow Crystal)
2 weeks agoBy尊渡假赌尊渡假赌尊渡假赌
Repo: How To Revive Teammates
1 months agoBy尊渡假赌尊渡假赌尊渡假赌
Hello Kitty Island Adventure: How To Get Giant Seeds
4 weeks agoBy尊渡假赌尊渡假赌尊渡假赌

Hot Tools

mPDF

mPDF

mPDF is a PHP library that can generate PDF files from UTF-8 encoded HTML. The original author, Ian Back, wrote mPDF to output PDF files "on the fly" from his website and handle different languages. It is slower than original scripts like HTML2FPDF and produces larger files when using Unicode fonts, but supports CSS styles etc. and has a lot of enhancements. Supports almost all languages, including RTL (Arabic and Hebrew) and CJK (Chinese, Japanese and Korean). Supports nested block-level elements (such as P, DIV),

SublimeText3 Linux new version

SublimeText3 Linux new version

SublimeText3 Linux latest version

Notepad++7.3.1

Notepad++7.3.1

Easy-to-use and free code editor

PhpStorm Mac version

PhpStorm Mac version

The latest (2018.2.1) professional PHP integrated development tool

Dreamweaver CS6

Dreamweaver CS6

Visual web development tools