Home >Backend Development >PHP Tutorial >Understand some methods of sql injection in php yourself_PHP tutorial
Understand some of the methods of sql injection in php. The following are all the most common sql injection methods. Friends in need can refer to them.
What is injection?
For example, when we query the database, we retrieve all the information of this article through the article's ID number. Then the SQL statement can be written like this:
The code is as follows | Copy code | ||||
|
代码如下 | 复制代码 |
select * from blog where id=5 or 1=1 |
The code is as follows | Copy code |
select * from blog where id=5 or 1=1 |
1=1 is the same, then this statement will retrieve all articles. To modify this, you only need to change the value passed by GET: read.php?id='5 or 1=1'; pay attention to these two single quotes... So the simplest thing is that we can directly change the parameters to Single quotes to see if this link is injected. Of course, it doesn't matter if illegal users see all the articles, but what if this table stores account numbers and passwords?
2. How to prevent injection?
In the final analysis, the key to preventing injection lies in character filtering, because illegal users generally pass values by constructing URLs. If we filter the illegal parameters they pass in, the illegal SQL statements will not be executed. , then we will prevent the website from being injected!
代码如下 | 复制代码 |
function safe($s) { if(!get_magic_quotes_gpc()) { if(is_array($s)) foreach($s as $key=>$value) $s[$key] = addslashes($value); else $s=addslashes($s); } return $s; }
function html_safe($s) { return nl2br(htmlspecialchars(safe($s) )) ; } |
The code is as follows | Copy code |
function safe($s) { if(!get_magic_quotes_gpc()) { if(is_array($s)) foreach($s as $key=>$value) $s[$key] = addslashes($value); else $s=addslashes($s); } return $s; } function html_safe($s) { return nl2br(htmlspecialchars(safe($s) )) ; } |
If you don’t know the built-in functions used above and are too lazy to check the manual, then I will talk about these functions:
magic_quotes_gpc is called magic quotes. If this function is turned on, then when inserting data into the database, what the magic quotes do is to automatically apply the addslashes() function to all GET, POST, and COOKIE data. get_magic_quotes_gpc() is used to get whether this function is turned on on the server: if it is turned on, then the data is returned directly; if it is not turned on, then the parameters are manually escaped with addslashes(). This will prevent double-level escaping~
addslashes – Use backslashes to quote strings. Description: string addslashes (string str); returns a string with backslashes added before certain characters for database query statements, etc. These characters are single quotes ('), double quotes ("), backslash () and NUL (NULL character). An example of using addslashes() is when you are entering data into a database. For example, changing the name O 'reilly is inserted into the database, which requires escaping it. Most databases use as escape character: O'reilly. This allows the data to be inserted into the database without inserting additional . When turned on, it means that ' will be escaped when inserting '
.The htmlspecialchars below converts characters in Html, such as converting '&' to '&', and converting '<' to '<'. nl2br converts carriage return and line feed into
. This is often used when users enter information such as comments.
Through the above functions, we can already filter some simple injections. In addition, let’s talk about a few small aspects:
As for the initial example, there are actually many areas for improvement. For example, it should look more standardized when written like this:
The code is as follows | Copy code | ||||
|
For such incoming parameters that are of numeric type, we can force convert the value obtained by $_GET. But I’m more used to this:
代码如下 | 复制代码 |
$id = $_GET['id']*1; //获取文章的id,用来显示文章信息 if($id == 0){ echo "ERROR..."; exit(); } |
The code is as follows | Copy code | ||||
$id = $_GET['id']*1; //Get the id of the article to display article information if($id == 0){ echo "ERROR...";
|
The code is as follows | Copy code |
if ( !get_magic_quotes_gpc() ) { $_GET = add_slashes($_GET); $_POST = add_slashes($_POST); $_COOKIE = add_slashes($_COOKIE); } |
Line 194 of includefunc_global.php
The code is as follows
|
Copy code
|
||||
//addslashes | function add_slashes($string) {
foreach ($string as $key => $val) {
Of course, this should be only part of it, and the rest should be similar.