Home >Backend Development >PHP Tutorial >Simple analysis of preventing sql injection in php, phpsql injection_PHP tutorial
Simple analysis of preventing sql injection in php, phpsql injection_PHP tutorial
- WBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOriginal
- 2016-07-13 10:02:491151browse
A simple analysis of php to prevent sql injection, phpsql injection
This article analyzes a simple method of php to prevent sql injection. Share it with everyone for your reference. The details are as follows:
Here is just a simple method
There are many ways to prevent Sql injection. What I want to talk about here is actually one of the methods in the vulnerability drill platform Dvwa
Just look at the high level ones
$id = $_GET['id'];
$id = stripslashes($id);
$id = mysql_real_escape_string($id);
if (is_numeric($id)){
$getid = "SELECT first_name,last_name FROM users WHERE user_id='$id'";
$result = mysql_query($getid) or die('<pre class="brush:php;toolbar:false">'.mysql_error().'');
$num = mysql_numrows($result);
It can be seen that the way it is processed is to first remove the backslashes in the variable through the stripslashes function,
Then use the function mysql_real_escape_string to escape special characters.
So when we write code like
$getid="SELECT first_name,last_name FROM users WHERE user_id='$id'";
Our simplest method is
Directly process the variable $id with stripslashes and mysql_real_escape_string.
Note: This is not to say that this is safe. This is just one of the methods. I am not saying that this is safe. More needs to be dealt with based on the actual situation.
I hope this article will be helpful to everyone’s PHP programming design.