Home >Backend Development >PHP Tutorial >How to prevent SQL injection in PHP, phpsql injection_PHP tutorial
[1. Configuration on the server side]
Security, PHP code writing is one aspect, and PHP configuration is very critical.
We installed PHP manually. The default configuration file of PHP is in /usr/local/apache2/conf/php.ini. Our most important thing is to configure the content in php.ini so that we can execute PHP safer. The security settings in the entire PHP are mainly to prevent attacks from phpshell and SQL Injection. Let’s discuss it slowly. We first use any editing tool to open /etc/local/apache2/conf/php.ini. If you install it in other ways, the configuration file may not be in this directory.
(1) Turn on PHP’s safe mode
php’s safe mode is a very important built-in security mechanism that can control some functions in PHP, such as system(),
At the same time, the permissions of many file operation functions are controlled, and certain key files, such as /etc/passwd, are not allowed.
However, the default php.ini does not open the safe mode. We turn it on:
safe_mode = on
(2) User group security
When safe_mode is turned on, safe_mode_gid is turned off, then the php script can access the file, And users in the same
group can also access the file.
It is recommended to set it to:
safe_mode_gid = off
If you don’t set it, we may not be able to operate the files in the directory of our server website, for example, we need to
When operating on files.
(3) Home directory for executing programs in safe mode
If safe mode is turned on but you want to execute certain programs, you can specify the home directory for executing the program:
safe_mode_exec_dir = D:/usr/bin
Generally, there is no need to execute any program, so it is recommended not to execute the system program directory. You can point to a directory,
and then Copy the program that needs to be executed, for example:
safe_mode_exec_dir = D:/tmp/cmd
However, I recommend not to execute any program, then you can point to our web directory:
safe_mode_exec_dir = D:/usr/www
(4) Include files in safe mode
If you want to include some public files in safe mode, then modify the options:
safe_mode_include_dir = D:/usr/www/include/
In fact, generally the files included in php scripts have been written in the program itself. This can be set according to specific needs.
(5) Control the directories that PHP scripts can access
Use the open_basedir option to control that PHP scripts can only access specified directories, which can prevent PHP scripts from accessing
should not The accessed files limit the harm of phpshell to a certain extent. We can generally set it to only access the website directory:
open_basedir = D:/usr/www
(6) Turn off dangerous functions
If safe mode is turned on, function prohibition is not necessary, but we still consider it for safety. For example,
we feel that we do not want to execute php functions including system() that can execute commands, or functions such as
phpinfo() that can view php information, then we can Disable them:
disable_functions = system,passthru,exec,shell_exec,popen,phpinfo
If you want to disable any file and directory operations, you can turn off many file operations
disable_functions = chdir,chroot,dir,getcwd,opendir,readdir,scandir,fopen,unlink,delete,copy,mkdir, rmdir,rename,file,file_get_contents,fputs,fwrite,chgrp,chmod,chown
The above only lists some of the commonly used file processing functions. You can also combine the above execution command function with this function.
can resist most phpshells.
(7) Turn off the leakage of PHP version information in the http header
In order to prevent hackers from obtaining the PHP version information in the server, we can turn off the leakage of the information in the http header:
expose_php = Off
For example, when a hacker telnet www.12345.com 80, he will not be able to see the PHP information.
(8) Turn off registration of global variables
Variables submitted in PHP, including variables submitted using POST or GET, will be automatically registered as global variables and can be accessed directly,
This is very unsafe for the server, so we can’t let it be registered as a global variable, so we turn off the register global variable option:
register_globals = Off
Of course, if it is set like this , then you must use reasonable methods to obtain the corresponding variables, such as obtaining the variable var submitted by GET,
then you must use $_GET['var'] to obtain it, PHP programmers should pay attention to this.
(9) Turn on magic_quotes_gpc to prevent SQL injection
SQL injection is a very dangerous problem. In the smallest case, the website backend is invaded, and in the worst case, the entire server collapses.
So be sure Be careful. There is a setting in php.ini:
magic_quotes_gpc = Off
This is off by default. If it is turned on, it will automatically convert user-submitted SQL queries,
For example, converting ' to ', etc., this plays a significant role in preventing SQL injection. So we recommend setting it to:
magic_quotes_gpc = On
(10) Error message control
Generally, PHP will prompt an error when it is not connected to the database or under other circumstances. Generally, the error message will contain the PHP script when
or the query SQL statement and other information are not safe after this kind of information is provided to hackers, so it is generally recommended that the server disable error prompts:
display_errors = Off
If you want to display error information, be sure to set the level of error display, for example, only display information above warnings:
error_reporting = E_WARNING & E_ERROR
Of course, I still recommend turning off errors. hint.
(11) Error log
It is recommended to record the error information after turning off display_errors to facilitate finding the reason for the server operation:
log_errors = On
At the same time, you must also set the directory where the error log is stored. It is recommended that the root apache log be stored together:
error_log = D:/usr/local/apache2/logs/php_error.log
Note: Give The file must allow write permissions for the apache user and group.
Run MYSQL with reduced privileges
Create a new user such as mysqlstart
net user mysqlstart fuckmicrosoft /add
net localgroup users mysqlstart /del
Does not belong to any group
If MYSQL is installed in d:mysql, then give mysqlstart full control permissions
Then set the MYSQL service attributes in the system service, in the login attributes Among them, select this user mysqlstart and then enter the password and confirm.
Restart the MYSQL service, and then MYSQL will run with low privileges.
If apache is built on a windos platform, we need to pay attention to one thing. Apache runs with system permissions by default.
This is scary and makes people feel very uncomfortable. Then we will give apache Reduce the permissions.
net user apache fuckmicrosoft /add
net localgroup users apache /del
ok. We created a user apche that does not belong to any group.
We open the computer manager, select services, click on the properties of the apache service, we select log on, select this account, we fill in the account and password created above,
Restart the apache service , ok, apache is running with low permissions.
In fact, we can also set the permissions of each folder so that the apache user can only perform what we want it to do, and create a separate read-write user for each directory.
This is also a popular configuration method used by many virtual host providers. However, this method is overkill when used to prevent this.
[2. Writing in PHP code]
Although many domestic PHP programmers still rely on addslashes to prevent SQL injection, it is still recommended that everyone strengthen checks to prevent SQL injection in Chinese. The problem with addslashes is that hackers can use 0xbf27 to replace single quotes, while addslashes only changes 0xbf27 to 0xbf5c27, which becomes a valid multi-byte character. 0xbf5c is still regarded as a single quote, so addslashes cannot successfully intercept.
Of course, addslashes is not useless. It is used for processing single-byte strings. For multi-byte characters, use mysql_real_escape_string.
In addition, for the example of get_magic_quotes_gpc in the PHP manual: if (!get_magic_quotes_gpc()) {
$lastname = addslashes($_POST['lastname']);
} else {
$lastname = $_POST['lastname'];
}
It is best to check $_POST[’lastname’] when magic_quotes_gpc is already open.
Let’s talk about the difference between the two functions mysql_real_escape_string and mysql_escape_string:
mysql_real_escape_string can only be used under (PHP 4 >= 4.3.0, PHP 5). Otherwise, you can only use mysql_escape_string. The difference between the two is: mysql_real_escape_string takes into account the current character set of the connection, while mysql_escape_string does not.
To summarize:
* addslashes() is a forced addition;
* mysql_real_escape_string()
will determine the character set, but there are requirements for the PHP version; * mysql_escape_string does not consider the current characters of the connection set.
-------------------------------------------------- --------------------------------------------------
When coding in PHP, if you consider some basic security issues, first of all:
1. Initialize your variables
Why do you say this? Let’s look at the following code:
PHP code >
echo 'Login successful! ';
include('admin.php'); {
echo 'You are not an administrator and cannot manage! ';
}
?>
Okay, we see that the above code seems to be running normally, there is no problem, then join me to submit If an illegal parameter passes, what will be the effect? For example, our page is http://daybook.diandian.com/login.php, then we submit: http://daybook.diandian.com/login.php?admin=1, haha, think about it, we are Either you are an administrator directly, you manage it directly.
Of course, maybe we won’t make such a simple mistake, then some very secret mistakes may also cause this problem. For example, there is a loophole in the phpwind forum, which allows us to directly obtain administrator privileges because there is The $skin variable was not initialized, which caused a series of problems later. So how do we avoid the above problems? First, start with php.ini and set register_global =off in php.ini. This means that not all registered variables are global, so this can be avoided. However, we are not server administrators and can only improve it from the code. So how do we improve the above code? We rewrite it as follows: PHP code ['admin_user'] && $_POST['admin_pass'])
{
// Determine whether the submitted administrator username and password are correct and process accordingly Code
// ...
$admin = 1;
}
else
> if ($ admin)
{
echo 'Login successful! ';
include('admin.php'); {
echo 'You are not an administrator and cannot manage! ';
} admin=1 is not easy to use, because we initialized the variable to $admin = 0 at the beginning, then you cannot obtain administrator privileges through this vulnerability.
2. Prevent SQL Injection (sql injection) SQL injection should be the most harmful program at present, including the earliest from asp to php, which are basically popular technologies in China in the past two years. The basic principles It is to form an injection point by not filtering the submitted variables and then enable malicious users to submit some SQL query statements, resulting in important data being stolen, data lost or damaged, or being invaded into the backend management.
So now that we understand the basic injection intrusion method, how can we prevent it? We should start with the code.
We know that there are two ways to submit data on the Web, one is get and the other is post. So many common SQL injections start from the get method, and the injection statement must contain some SQL statement, because there is no sql statement, how to proceed? There are four major sql statements: select, update, delete, and insert. So if we filter the data we submit, can we avoid these problems? So we use regular expressions to construct the following function: PHP code
> {
return eregi('select|insert|update|delete|'|
function verify_id($id=null)
{
if (!$id) { exit('No parameters submitted!'); } // Determine whether it is empty
elseif (inject_check($id )) { exit('The submitted parameters are illegal!'); } // Injection judgment
elseif (!is_numeric($id)) { exit('The submitted parameters are illegal!'); } // Numerical judgment
$id = intval($id); // Integerization >
Haha, then we can verify it, so our program code above becomes the following: PHP code
if (inject_check($_GET['id']))
{
exit('The data you submitted is illegal, please check it Resubmit! ');
}
else
{ _id( $_GET['id']); // Our filter function is quoted here to filter $id
echo 'The submitted data is legal, please continue! ';
}
?> Okay, the problem seems to be solved here, but have we considered the data submitted by post , what about large batches of data?
For example, some characters may cause harm to the database, such as ' _ ', ' %'. These characters have special meanings, so what if we control them? Another point is that when magic_quotes_gpc = off in our php.ini, the submitted data that does not comply with the database rules will not automatically add ' ' in front. Then we need to control these problems, so we build it as follows Function: PHP code if (!get_magic_quotes_gpc()) // Determine whether magic_quotes_gpc is open
{
$str = addslashes($str); // Filter
}
$str = str_replace("_", "_", $str); // Filter out '_'
$ str = str_replace("%", "%", $str); // Filter out ' % '
return $str;
}
?> We once again avoided the danger of the server being compromised.
Finally, consider submitting some large batches of data, such as posting, or writing articles or news. We need some functions to help us filter and convert. Based on the above functions, we construct the following Function:
PHP code
function post_check($post)
🎜 > if (!get_magic_quotes_gpc()) // Determine whether magic_quotes_gpc is open
{
$post = addslashes($post); // Check if magic_quotes_gpc is not open Situation filtering of submitted data
}
$post = str_replace("_", "_", $post); // Filter out '_'
$post = str_replace("%", "%", $post); // Filter out ' % '
$post = nl2br($post ); // Enter conversion
$post= htmlspecialchars($post); // HTML tag conversion
return $post; 🎜> }
?> Haha, basically at this point, we have talked about some situations. In fact, I feel that I have said very little, at least I have just I only talked about two aspects, and there is very little content in the entire security. I will consider talking about more next time, including PHP security configuration, Apache security, etc., so that our security can be integrated as a whole and be the safest.
Finally, let me tell you what is expressed above: 1. Initialize your variables 2. Be sure to filter your variables
What is the best way to prevent SQL injection in php?
If the user input is a query that is inserted directly into a SQL statement, the application will be vulnerable to SQL injection, such as the following example: $unsafe_variable = $_POST['user_input']; mysql_query("INSERT INTO table ( column) VALUES ('" . $unsafe_variable . "')"); This is because the user can enter something like VALUE "); DROP TABLE table; - , making the query become: Use prepared statements and parameterized queries. SQL statements with any parameters will be sent to the database server and parsed! It is impossible for an attacker to maliciously inject SQL! There are basically two options to achieve this goal: 1. Use PDO (PHP Data Objects): $stmt = $pdo->prepare('SELECT * FROM employees WHERE name = :name'); $stmt->execute(array(':name' => $name)); foreach ($stmt as $ row) { // do something with $row }2. Use mysqli:$stmt = $dbConnection->prepare('SELECT * FROM employees WHERE name = ?'); $stmt->bind_param('s', $ name); $stmt->execute(); $result = $stmt->get_result(); while ($row = $result->fetch_assoc()) { // do something with $row }PDO(PHP Data Object) Note that real prepared statements are not used by default when using PDO! To solve this problem, you must disable emulation of prepared statements. An example of using PDO to create a connection is as follows: $dbConnection = new PDO(' mysql:dbname=dbtest;host=127.0.0.1;charset=utf8', 'user', 'pass'); $dbConnection->setAttribute(PDO::ATTR_EMULATE_PREPARES, false); $dbConnection->setAttribute(PDO: :ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);The error mode ERRMODE is not strictly required in the above example, but it is recommended to add it. This method does not stop the script when a fatal error occurs. And give the developer a chance to catch any errors (when PDOException is thrown). The setAttribute() line is mandatory, it tells PDO to disable emulated prepared statements and use real prepared statements. This ensures that statements and values are not parsed by PHP before being sent to the MySQL database server (an attacker has no chance of injecting malicious SQL). Of course you can set the character set parameter in the constructor options, paying special attention to 'old' PHP versions ( 5.3.6) will ignore the character set parameter in the DSN. The most important thing here is that the parameter value is combined with a precompiled statement, not with a SQL string. The working principle of SQL injection is that the SQL script created by deception includes a malicious string... The rest of the full text>>
Well, this is the answer given by my teacher
Answer: Filter some common database operation keywords,
select, insert, update, delete, and, *, etc. or use the system function addslashes to Content filtering
In the PHP configuration file, register_globals=off; is set to the off state. (The effect is to turn off the registered global variables); such as receiving the value of the POST form, use $_POST['user'], assuming it is set to ON, then $user Only receive the value
When writing the SQL statement, try not to omit the small quotation marks (the one above the tab) and single quotation marks
Improve your database naming skills. Name some important fields according to the characteristics of the program to make them less likely to be guessed
Encapsulate common methods to avoid directly exposing SQL statements
Turn on PHP safe mode safe_mode=on
Turn on magic_quotes_gpc to prevent SQL injection. The default is off. After turning it on, it will automatically convert the SQL query statement submitted by the user. Convert "'" to "\'"
Control error message output, turn off error message prompts, and write error messages to the system log
Use MYSQLI or PDO preprocessing