PHP effective method to prevent sql injection_PHP tutorial

For data security and to prevent injection, the string obtained by $_GET needs to be filtered. At the beginning, I wrote the filtering function myself, and then

Let’s see a filter function that comes with the PHP tutorial, so I recommend addslashes to everyone.
An example of using addslashes() is when you are entering data into a database tutorial. For example, change the name O'reilly

is inserted into the database, which requires escaping it. Most databases use as escape character: O'reilly. This

This way you can put data into the database without inserting extra . When the PHP directive magic_quotes_sybase is

When set to on, it means that ' will be escaped when inserting '.
Example:

MySQL tutorial and PHP come with many functions that can handle character problems. Here are a few that are frequently used.
ps tutorial: Since php6 does not support magic_quotes_gpc, the following things are assumed

On the condition that magic_quotes_gpc=off (I don’t know what new things will come out in php6...)

mysql_real_escape_string()
Definition: Function escapes special characters in strings used in SQL statements.
Syntax: mysql_real_escape_string(string,connection)
Description: This function escapes special characters in string and takes into account the current character set of the connection, so it can be safely used in

mysql_query().
Since the example code is too long, a function explanation link is given

This function escapes special characters in a string and takes into account the current character set of the connection, so it is safe to use with

mysql_query().
Database attacks. This example demonstrates what happens if we don’t apply the mysql_real_escape_string() function to username and password

What happens:

$con = mysql_connect("localhost", "hello", "321");
if (!$con)
{
die('Could not connect: ' . mysql_error());
}

$sql = "SELECT * FROM users
WHERE user='{$_POST['user']}'
AND password='{$_POST['pwd']}'";
mysql_query($sql);

//Do not check username and password
// It can be anything entered by the user, such as:
$_POST['user'] = 'john';
$_POST['pwd'] = "' OR ''='";

// Some code...

mysql_close($con);
?>Then the SQL query will look like this:

SELECT * FROM users
WHERE user='john' AND password='' OR ''='' This means no user needs to enter a valid password

Login

addSlashes()
Definition: The addslashes() function adds a backslash before the specified predefined characters.
Syntax: addslashes(string)
Note: By default, the PHP directive magic_quotes_gpc is on for all GET, POST and COOKIE

Data automatically runs addslashes(). Do not use

on strings that have been escaped by magic_quotes_gpc

addslashes(), because this will cause double escaping. When encountering this situation, you can use the function

get_magic_quotes_gpc() for detection.
Since the example code is too long, a function explanation link is given
Related functions

$str = "Is your name O'reilly?";

// Output: Is your name O'reilly?
echo addslashes($str);
?>

StripSlashes() removes backslash characters

The stripslashes() function removes backslashes added by the addslashes() function.

Grammar
stripslashes(string)

echo stripslashes("Who's John Adams?");
?>

http://www.bkjia.com/PHPjc/629711.htmlwww.bkjia.comtruehttp: //www.bkjia.com/PHPjc/629711.htmlTechArticleFor data security, to prevent injection, it is necessary to filter the string obtained by $_GET. At the beginning, I wrote the filtering function myself. , and later I saw a filter function that comes with the PHP tutorial, so I added addsla...