Summary and analysis of PHP anti-sql injection methods_PHP tutorial

SQL injection is a problem that everyone often considers in program development. Let me analyze the common SQL injection prevention codes. Friends in need can refer to it.

1. Basic principles of PHP submission data filtering

1) When submitting variables into the database, we must use addslashes() for filtering. For example, our injection problem can be solved with just one addslashes(). In fact, when it comes to variable values, the intval() function is also a good choice for filtering strings.

2) Enable magic_quotes_gpc and magic_quotes_runtime in php.ini. magic_quotes_gpc can change the quotation marks in get, post, and cookie into slashes. magic_quotes_runtime can play a formatting role in data entering and exiting the database. In fact, this parameter has been very popular since the old days when injection was crazy.

The code is as follows

Copy code

代码如下	复制代码
if ( isset($_POST["f_login"] ) ) {   // 连接数据库...   // ...代码略...     // 检查用户是否存在   $t_strUname = $_POST["f_uname"];   $t_strPwd = $_POST["f_pwd"];   $t_strSQL = "SELECT * FROM tbl_users WHERE username='$t_strUname' AND password = '$t_strPwd' LIMIT 0,1";   if ( $t_hRes = mysql_query($t_strSQL) )   {     // 成功查询之后的处理. 略...   } } ?>   Username:   Password:

if ( isset($_POST["f_login"] ) )
{

// Connect to database...

// ...The code is abbreviated...

代码如下	复制代码
$new = htmlspecialchars("Test", ENT_QUOTES); strip_tags($text,);

// Check if the user exists

$t_strUname = $_POST["f_uname"];

$t_strPwd = $_POST["f_pwd"];

$t_strSQL = "SELECT * FROM tbl_users WHERE username='$t_strUname' AND password = '$t_strPwd' LIMIT 0,1";

if ( $t_hRes = mysql_query($t_strSQL) )
{
// Processing after successful query. Omitted...

}

}

?>

代码如下	复制代码
SELECT * FROM wines WHERE variety = 'lagrein' OR 1=1;'

Username:
Password:

3) When using system functions, you must use escapeshellarg() and escapeshellcmd() parameters to filter, so that you can use system functions with confidence. 4) For cross-site, both parameters of strip_tags() and htmlspecialchars() are good. All tags with html and php submitted by users will be converted. For example, angle brackets "

The code is as follows	Copy code
$new = htmlspecialchars("Test", ENT_QUOTES); strip_tags($text,);

5) Regarding the filtering of related functions, just like the previous include(), unlink, fopen(), etc., as long as you specify the variables you want to perform the operation or strictly filter the related characters, I think this will be enough. Impeccable. 2. Simple data filtering with PHP 1) Storage: trim($str),addslashes($str) 2) Deposit: stripslashes($str) 3) Display: htmlspecialchars(nl2br($str)) 1. Types of injection attacks There may be many different types of attack motivations, but at first glance, it appears that there are many more. This is very true - if a malicious user finds a way to perform multiple queries. We will discuss this in detail later in this article. Such as If your script is executing a SELECT instruction, an attacker can force the display of every row in a table by injecting a condition such as "1=1" into the WHERE clause, as shown below (where, Injected parts are shown in bold):

The code is as follows	Copy code
SELECT * FROM wines WHERE variety = 'lagrein' OR 1=1;'

As we discussed earlier, this can be useful information in itself, as it reveals the general structure of the table (something a plain record wouldn't), as well as potentially showing the data containing confidential information. Record.
An updated directive potentially poses a more immediate threat. By placing other attributes in the SET clause, an attacker can modify any field in the currently updated record, such as the following example (in which the injected part is shown in bold):

The code is as follows

Copy code

代码如下	复制代码
UPDATE wines SET type='red'，'vintage'='9999' WHERE variety = 'lagrein'

UPDATE wines SET type='red', 'vintage'='9999' WHERE variety = 'lagrein'

By adding a constant true condition such as 1=1 to the WHERE clause of an update instruction, the scope of this modification can be extended to each record, such as the following example (where the injection part is shown in bold ):

代码如下	复制代码
UPDATE wines SET type='red'，'vintage'='9999 WHERE variety = 'lagrein' OR 1=1;'

The code is as follows	Copy code
UPDATE wines SET type='red', 'vintage'='9999 WHERE variety = 'lagrein' OR 1=1;'

Probably the most dangerous instruction is DELETE - it's not hard to imagine. The injection technique is the same as we've already seen - extending the scope of affected records by modifying the WHERE clause, as in the example below (where the injection part is in bold):

代码如下	复制代码
DELETE FROM wines WHERE variety = 'lagrein' OR 1=1;'

2. Multiple query injection

Multiple query injections will exacerbate the potential damage an attacker can cause - by allowing multiple destructive instructions to be included in a single query. When using the MySQL database, an attacker can easily achieve this by inserting an unexpected terminator into the query - an injected quote (single or double) marks the end of the expected variable; Then terminate the directive with a semicolon. Now, an additional attack command may be added to the end of the now terminated original command. The final destructive query might look like this:

代码如下	复制代码
SELECT * FROM wines WHERE variety = 'lagrein'; GRANT ALL ON *.* TO 'BadGuy@%' IDENTIFIED BY 'gotcha';'

The code is as follows:

The code is as follows	Copy code
SELECT * FROM wines WHERE variety = 'lagrein'; GRANT ALL ON *.* TO 'BadGuy@%' IDENTIFIED BY 'gotcha';'

This injection will create a new user BadGuy and give it network privileges (all privileges on all tables); there is also an "ominous" password added to this simple SELECT statement. If you followed our advice in the previous article and strictly limited the privileges of the process user, then this should not work because the web server daemon no longer has the GRANT privileges that you revoked. But in theory, such an attack could give BadGuy free rein to do whatever he wants with your database.

I will share one I wrote below

} function phpsql_post($str){

The code is as follows

代码如下

复制代码

function phpsql_show($str){  $str = stripslashes($str);  $str = str_replace("\", "", $str);  $str = str_replace("/", "/", $str);  $str = str_replace(" ", " ", $str);  $str = str_replace(",", ",", $str);  return $str; } function phpsql_post($str){  $str = stripslashes($str);  $str = str_replace("|", "|", $str);  $str = str_replace("  $str = str_replace(">", ">", $str);  $str = str_replace(" ", " ", $str);  $str = str_replace(" ", " ", $str);  $str = str_replace("(", "(", $str);  $str = str_replace(")", ")", $str);  $str = str_replace("`", "`", $str);  //$str = str_replace("'", "'", $str);  $str = str_replace('"', """, $str);  $str = str_replace(",", ",", $str);  $str = str_replace("$", "$", $str);  $str = str_replace("", "\", $str);  $str = str_replace("/", "/", $str);  return $str; } function phpsql_replace($str){  $str = stripslashes($str);  $str = str_replace("'", "'", $str);  return $str; }

Copy code

function phpsql_show($str){

$str = stripslashes($str);
$str = str_replace("\", "", $str);
$str = str_replace("/", "/", $str);

$str = str_replace(" ", " ", $str);

$str = str_replace(",", ",", $str);

return $str;

$str = stripslashes($str); $str = str_replace("|", "|", $str);

$str = str_replace(" $str = str_replace(">", ">", $str); $str = str_replace(" ", " ", $str); $str = str_replace(" ", " ", $str); $str = str_replace("(", "(", $str); $str = str_replace(")", ")", $str); $str = str_replace("`", "`", $str); //$str = str_replace("'", "'", $str); $str = str_replace('"', """, $str); $str = str_replace(",", ",", $str); $str = str_replace("$", "$", $str); $str = str_replace("", "\", $str); $str = str_replace("/", "/", $str); return $str; }

function phpsql_replace($str){ $str = stripslashes($str);

$str = str_replace("'", "'", $str);

return $str; } To summarize: * addslashes() is a forced addition; * mysql_real_escape_string() will determine the character set, but there are requirements for the PHP version; * mysql_escape_string does not take into account the current character set of the connection. To prevent sql injection in dz, you use the addslashes function. At the same time, there are some replacements in the dthmlspecialchars function $string = preg_replace(/&((#(d{3,5}|x[a-fA-F0 -9]{4}));)/, &1, This replacement solves the injection problem and also solves some problems with Chinese garbled characters http://www.bkjia.com/PHPjc/629645.htmlwww.bkjia.comtruehttp: //www.bkjia.com/PHPjc/629645.htmlTechArticleSQL injection is a problem that everyone often considers in program development. Let me analyze the common ones below. SQL injection prevention code, friends in need can refer to it. 1. PHP submits data...