Backend DevelopmentPHP Tutorialphp.ini magic_quotes_gpc configuration anti-injection method (1/5)_PHP tutorial
php tutorial.ini magic_quotes_gpc configuration anti-injection method
1. The magic_quotes_gpc option in the php configuration file php.ini is not turned on and is set to off
2. The developer did not check and escape the data type
But in fact, the second point is the most important. I think that checking the data type entered by the user and submitting the correct data type to the mysql tutorial should be the most basic quality of a web programmer. But in reality, many novice web developers often forget this, leaving the backdoor wide open.
Why is the second point the most important? Because without the second guarantee, the magic_quotes_gpc option, whether it is on or off, may cause SQL injection attacks. Let’s take a look at the technical implementation:
1. Injection attack when magic_quotes_gpc = off
Magic_quotes_gpc = off is a very unsafe option in php. The new version of php has changed the default value to on. But there are still quite a few servers with the option off. After all, no matter how antique the server is, there are still people using it.
When magic_quotes_gpc = on, it will automatically add all '(single quotation marks), "(double numbers), (backslashes), and whitespace characters in the submitted variables in front. The following is the official version of PHP Description:
Copy the code The code is as follows:
magic_quotes_gpc boolean
sets the magic_quotes state for gpc (get/post/cookie) operations. when magic_quotes are on, all ' (single-quote), " (double quote), (backslash) and nul's are escaped with a backslash automatically
If there is no escape, that is, in the off case, it will give attackers an opportunity to take advantage. Take the following test script as an example:
Copy the code. The code is as follows:
if ( isset($_post["f_login"] ) )
{
// Tutorial on connecting to database...
//...The code is abbreviated...// Check if the user exists
$t_struname = $_post["f_uname"];
$t_strpwd = $_post["f_pwd"];
$t_strsql = "select * from tbl_users where username='$t_struname' and password = '$t_strpwd' limit 0,1";if ( $t_hres = mysql_query($t_strsql) )
{
// Processing after successful query. Briefly...
}
}
?>sample test
1 2 3 4 5
php.ini怎么关闭缓存Mar 15, 2021 am 09:35 AMphp.ini关闭缓存的方法:1、找到并打开php.ini配置文件;2、找到“opcache.enable”和“opcache.enable_cli”选项,将其修改为“opcache.enable=0”和“opcache.enable_cli=0”;3、保存修改后的文件即可。
如何在Nginx配置Cookie安全策略Jun 10, 2023 pm 12:54 PM随着互联网的不断发展和普及,Web应用程序已成为人们日常生活中必不可少的一部分,这也决定了Web应用程序的安全问题非常重要。在Web应用程序中,Cookie被广泛使用来实现用户身份认证等功能,然而Cookie也存在着安全风险,因此在配置Nginx时,必须设定适当的Cookie安全策略,以保证Cookie的安全性。下面是一些在Nginx中配置Cookie安全策
了解Magic Eden的钻石奖励:赚取的价值和获取方法Jan 26, 2024 pm 05:57 PM之前,SOL链上的主流NFT市场MagicEden推出了Launchpad功能。在此之前,PANews已经介绍了MagicEden的运营状态,并为NFT交易平台和用户提供了优化运营方式和投资方式的分析。最近,MagicEden在运营方面推出了新的活动,引入了钻石奖励,以激励用户使用其产品。在本文中,PANews将详细解释如何获得MagicEden的钻石奖励,并评估这个奖励是否值得赚取。MagicEden钻石奖励是否值得赚取?根据官方博客,MagicEden平台现在通过钻石奖励赋能为用户提供更多长
MySQL连接池的最大连接数如何设置?Jun 30, 2023 pm 12:55 PM如何配置MySQL连接池的最大连接数?MySQL是一个开源的关系型数据库管理系统,被广泛应用于各种领域的数据存储与管理。在使用MySQL时,我们常常需要使用连接池来管理数据库连接,以提高性能和资源利用率。连接池是一种维护和管理数据库连接的技术,它能够在需要时提供数据库连接,并在不需要时回收连接,从而减少了连接的重复创建和销毁。而连接池的最大连接数则是连接池所
外屏最大的小折叠!荣耀Magic V Flip亮相Jun 14, 2024 am 11:21 AM6月13日消息,今日晚间,荣耀首款小折叠屏荣耀MagicVFlip正式登场。和其它小折叠不同,荣耀MagicVFlip带来了行业目前最大竖折魔法外屏,其屏幕尺寸是4.0英寸,采用四曲面等深设计,屏占比达到了史无前例的85%,从此外屏不再是“副屏”,内外皆是主力屏。与此同时,荣耀MagicVFlip外屏还拥有比肩旗舰的屏幕素质,行业领先的荣耀护眼屏,以及全场景智慧交互。据悉,荣耀MagicVFlip外屏是一块全域低功耗LTPO外屏,做到了行业领先的2500nit局部峰值亮度,还有行业
magic系统可以升级成鸿蒙么Dec 22, 2022 pm 02:29 PMmagic系统不可以升级成鸿蒙,因为magic系统属于荣耀手机,而荣耀已经从华为脱离出来,不再属于华为的子公司,所以在2020年11月17日后面发行的荣耀手机都是不支持升级鸿蒙系统的。
Nginx错误页面配置,优雅处理网站故障Jul 04, 2023 pm 04:06 PMNginx错误页面配置,优雅处理网站故障在现代互联网时代,一个高度稳定和可靠的网站是任何企业或个人追求的目标。然而,由于各种原因,网站可能会经历故障或错误,这可能是由于网络问题、服务器问题或应用程序错误等。为了提供更好的用户体验和优雅地处理任何可能发生的错误,Nginx作为一个强大的Web服务器软件,不仅能够提供高性能的服务,还能够灵活地配置错误页面。在Ng
聊聊如何修改php.ini配置文件Mar 28, 2023 pm 05:34 PMPHP.ini是一个PHP配置文件,它被用于控制PHP在服务器上的表现。此文件被用于设置一些变量的值,以便在运行时控制PHP。这篇文章将会向您展示如何修改PHP.ini配置文件的方式,以便控制PHP在您的服务器上的表现。
Hot AI Tools
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Undress AI Tool
Undress images for free
Clothoff.io
AI clothes remover
AI Hentai Generator
Generate AI Hentai for free.
Hot Article
Hot Tools
SecLists
SecLists is the ultimate security tester's companion. It is a collection of various types of lists that are frequently used during security assessments, all in one place. SecLists helps make security testing more efficient and productive by conveniently providing all the lists a security tester might need. List types include usernames, passwords, URLs, fuzzing payloads, sensitive data patterns, web shells, and more. The tester can simply pull this repository onto a new test machine and he will have access to every type of list he needs.
MinGW - Minimalist GNU for Windows
This project is in the process of being migrated to osdn.net/projects/mingw, you can continue to follow us there. MinGW: A native Windows port of the GNU Compiler Collection (GCC), freely distributable import libraries and header files for building native Windows applications; includes extensions to the MSVC runtime to support C99 functionality. All MinGW software can run on 64-bit Windows platforms.
SublimeText3 Mac version
God-level code editing software (SublimeText3)
SAP NetWeaver Server Adapter for Eclipse
Integrate Eclipse with SAP NetWeaver application server.
Zend Studio 13.0.1
Powerful PHP integrated development environment
