Home >Backend Development >PHP Tutorial >A brief analysis of methods to prevent SQL injection during PHP login process_PHP tutorial
It is usually careless programmers or novice programmers who have problems preventing these details of SQL injection. They do not perform some necessary filtering on the data submitted by users, which leads to problems when testing. After breaking through your database, let's briefly introduce the SQL injection method that may occur when a user logs in without security configuration. Let's take a look.
For example, the following login code:
if($l = @mysql_connect('localhost', 'root', '123')) or die('数据库连接失败'); mysql_select_db('test'); mysql_set_charset('utf8'); $sql = 'select * from test where username = "$username" and password = "$password"'; $res = mysql_query($sql); if(mysql_num_rows($res)){ header('Location:./home.php'); }else{ die('输入有误'); }
Pay attention to the above SQL statement, which has great security risks. If you use the following universal password and universal username, you can easily enter the page:
$sql = 'select * from test where username = "***" and password = "***" or 1 = "1"';
Obviously, the universal password for this sql statement is: ***" or 1 = "1
$sql = 'select * from test where username ="***" union select * from users/* and password = "***"';
Forward slash * means that the following will not be executed. MySQL supports union query, so all data can be directly queried; so the universal user name for this SQL statement is: ***" union select * from users/*
However, this injection only targets sql statements in the code, if
$sql = "select * from test where username = $username and password = $password";
At least the above injection no longer works, but the method is the same;
After using PDO, SQL injection can be completely avoided, and in this era of rapid development and frameworks are rampant, there is no need to think too much about SQL injection issues.
Here are two functions to prevent sql registration
/* 过滤所有GET过来变量 */ foreach ($_GET as $get_key=>$get_var) { if (is_numeric($get_var)) { $get[strtolower($get_key)] = get_int($get_var); } else { $get[strtolower($get_key)] = get_str($get_var); } } /* 过滤所有POST过来的变量 */ foreach ($_POST as $post_key=>$post_var) { if (is_numeric($post_var)) { $post[strtolower($post_key)] = get_int($post_var); } else { $post[strtolower($post_key)] = get_str($post_var); } } /* 过滤函数 */ //整型过滤函数 function get_int($number) { return intval($number); } //字符串型过滤函数 function get_str($string) { if (!get_magic_quotes_gpc()) { return addslashes($string); } return $string; }
There are also some blogs that write like this
<?php function post_check($post) { if (!get_magic_quotes_gpc()) // 判断magic_quotes_gpc是否为打开 { $post = addslashes($post); // 进行magic_quotes_gpc没有打开的情况对提交数据的过滤 } $post = str_replace("_", "\_", $post); // 把 '_'过滤掉 $post = str_replace("%", "\%", $post); // 把' % '过滤掉 $post = nl2br($post); // 回车转换 $post= htmlspecialchars($post); // html标记转换 return $post; } ?>