Preventing sql injection is a must-do step in our program development. Let me introduce to you some methods of using mysql_real_escape_string to prevent sql injection in PHP and mysql development.
The mysql_real_escape_string() function escapes special characters in strings used in SQL statements. The following characters are affected:
| 代码如下 |
复制代码 |
x00
n
r
'
"
x1a |
If successful, the function returns the escaped string. If failed, returns false.
Easy to use the function below to effectively filter.
| The code is as follows |
Copy code |
| 代码如下 |
复制代码 |
|
function safe($s){ //安全过滤函数
if(get_magic_quotes_gpc()){ $s=stripslashes($s); }
$s=mysql_real_escape_string($s);
return $s;
}
|
function safe($s){ //safe filter function
if(get_magic_quotes_gpc()){ $s=stripslashes($s); }
$s=mysql_real_escape_string($s);
| 代码如下 |
复制代码 |
|
if(get_magic_quotes_gpc()) {
$_REQUEST = array_map( 'stripslashes', $_REQUEST); }
$_REQUEST = array_map( 'mysql_real_escape_string', $_REQUEST);
|
return $s;
}
|
Or add it to the conn public connection file, so there is no need to modify the code:
| The code is as follows |
Copy code |
if(get_magic_quotes_gpc()) {
| 代码如下 |
复制代码 |
$id=intval($id);
mysql_query=”select *from example where articieid=’$id’”;或者这样写:mysql_query(”SELECT * FROM article WHERE articleid=”.intval($id).”") |
$_REQUEST = array_map( 'stripslashes', $_REQUEST); }
$_REQUEST = array_map( 'mysql_real_escape_string', $_REQUEST);
|
| 代码如下 |
复制代码 |
$search=addslashes($search);
$search=str_replace(“_”,”_”,$search);
$search=str_replace(“%”,”%”,$search);
|
mysql_real_escape_string's anti-sql injection protection is only the most basic protection. If you need more powerful anti-sql injection protection, I can refer to the following method
The first is the security settings of the server. Here are mainly the security settings of php+mysql and the security settings of the Linux host. To prevent php+mysql injection, first set magic_quotes_gpc to On and display_errors to Off. If it is an id type, we use intval() to convert it into an integer type, as shown in the code:
| The code is as follows |
Copy code |
| $id=intval($id);
mysql_query=”select *from example where articieid=’$id’”; Or write like this: mysql_query(”SELECT * FROM article WHERE articleid=”.intval($id).””) |
If it is a character type, use addslashes() to filter it, and then filter "%" and "_", such as:
| The code is as follows |
Copy code |
| $search=addslashes($search);
$search=str_replace(“_”,”_”,$search);
$search=str_replace(“%”,”%”,$search);
|
Of course you can also add PHP universal anti-injection code:
/***************************
PHP universal anti-injection security code
Description:
Determine whether the passed variable contains illegal characters
Such as $_POST, $_GET
Function:
Anti-injection
The code is as follows
| 代码如下 |
复制代码 |
**************************/
//要过滤的非法字符
$ArrFiltrate=array(”‘”,”;”,”union”);
//出错后要跳转的url,不填则默认前一页
$StrGoUrl=”";
//是否存在数组中的值
function FunStringExist($StrFiltrate,$ArrFiltrate){
foreach ($ArrFiltrate as $key=>$value){
if (eregi($value,$StrFiltrate)){
return true;
}
}
return false;
}
//合并$_POST 和 $_GET
if(function_exists(array_merge)){
$ArrPostAndGet=array_merge($HTTP_POST_VARS,$HTTP_GET_VARS);
}else{
foreach($HTTP_POST_VARS as $key=>$value){
$ArrPostAndGet[]=$value;
}
foreach($HTTP_GET_VARS as $key=>$value){
$ArrPostAndGet[]=$value;
}
}
//验证开始
foreach($ArrPostAndGet as $key=>$value){
if (FunStringExist($value,$ArrFiltrate)){
echo “alert(/”Neeao提示,非法字符/”);”;
if (empty($StrGoUrl)){
echo “history.go(-1);”;
}else{
echo “window.location=/”".$StrGoUrl.”/”;”;
}
exit;
}
}
?>
|
|
Copy code
|
********** ****************/
//Illegal characters to filter
$ArrFiltrate=array(”‘”,”;”,”union”);
//The URL to jump to after an error occurs. If not filled in, the previous page will be defaulted
$StrGoUrl=””;
//Whether there is a value in the array
function FunStringExist($StrFiltrate,$ArrFiltrate){
foreach ($ArrFiltrate as $key=>$value){
if (eregi($value,$StrFiltrate)){
return true;
}
}
return false;
}
//Merge $_POST and $_GET
if(function_exists(array_merge)){
$ArrPostAndGet=array_merge($HTTP_POST_VARS,$HTTP_GET_VARS);
}else{
foreach($HTTP_POST_VARS as $key=>$value){
$ArrPostAndGet[]=$value;
}
foreach($HTTP_GET_VARS as $key=>$value){ |
$ArrPostAndGet[]=$value;
}
}
//Verification starts
foreach($ArrPostAndGet as $key=>$value){
if (FunStringExist($value,$ArrFiltrate)){
echo "alert(/"Neeao prompt, illegal character/");";
if (empty($StrGoUrl)){
echo “history.go(-1);”;
}else{
echo “window.location=/”".$StrGoUrl.”/”;”;
}
exit;
}
}
?>
/***************************
Then add include("checkpostandget.php"); in front of each php file
**************************/
In addition, the administrator username and password are md5 encrypted, which can effectively prevent PHP injection.
There are also some security precautions that need to be strengthened on the server and mysql.
For security settings of linux server:
To encrypt the password, use the "/usr/sbin/authconfig" tool to turn on the password shadow function and encrypt the password.
To prohibit access to important files, enter the Linux command interface and enter: at the prompt.
#chmod 600 /etc/inetd.conf //Change file attributes to 600
#chattr +I /etc/inetd.conf // Ensure that the file owner is root
#chattr –I /etc/inetd.conf // Limit changes to this file
It is forbidden for any user to change to the root user through the su command
Add the following two lines at the beginning of the su configuration file, that is, the /etc/pam.d/ directory:
Auth sufficient /lib/security/pam_rootok.so debug
Auth required /lib/security/pam_whell.so group=wheel
Delete all special accounts
#userdel lp etc. Delete user
#groupdel lp etc. Delete group
Ban unused suid/sgid programs
#find / -type f (-perm -04000 - o –perm -02000 ) -execls –lg {} ;
http://www.bkjia.com/PHPjc/629620.htmlwww.bkjia.comtruehttp: //www.bkjia.com/PHPjc/629620.htmlTechArticlePreventing sql injection is a step that must be done when developing our programs. Let me introduce to you how to use PHP with Introduction to some methods of using mysql_real_escape_string to prevent SQL injection in mysql development. m...
