Detailed explanation of the specific methods of preventing SQL injection in PHP_PHP tutorial

An excellent

When it comes to website security, we have to mention SQL Injection. If you have used ASP, you must have a deep understanding of SQL injection. It is understood that PHP has relatively high security. This is because versions below MYSQL4 do not support sub-statements, and when magic_quotes_gpc in php.ini is On.

All ' (single quotes), " (double quotes), (backslashes) and null characters in the submitted variables will be automatically converted into escape characters containing backslashes, causing SQL injection A lot of trouble

Please see clearly: It’s just “trouble”~ This does not mean that PHP prevents SQL injection. The book talks about how to bypass escaping by changing the encoding of the injection statement, such as Convert the SQL statement into ASCII encoding (similar to: char(100,58,92,108,111,99,97,108,104,111,115,116...)), or into hexadecimal encoding, or even other forms of encoding. In this way, escape filtering Then it was bypassed, so how to prevent it:

a. Open magic_quotes_gpc or use the addslashes() function

In the new version of PHP, even if magic_quotes_gpc is turned on, there will be no conflict when using the addslashes() function. However, in order to achieve better version compatibility, it is recommended to check the magic_quotes_gpc status before using the transfer function, or turn it off directly. , the code is as follows:

PHP code to prevent SQL injection

<ol class="dp-xml">
<li class="alt"><span><span>// 去除转义字符   </span></span></li>
<li><span>function stripslashes_array($array) {   </span></li>
<li class="alt"><span>if (is_array($array)) {   </span></li>
<li>
<span>foreach ($array as $</span><span class="attribute">k</span><span> =</span><span class="tag">></span><span> $v) {   </span>
</li>
<li class="alt"><span>$array[$k] = stripslashes_array($v);   </span></li>
<li><span>}   </span></li>
<li class="alt"><span>} else if (is_string($array)) {   </span></li>
<li>
<span>$</span><span class="attribute">array</span><span> = </span><span class="attribute-value">stripslashes</span><span>($array);   </span>
</li>
<li class="alt"><span>}   </span></li>
<li><span>return $array;   </span></li>
<li class="alt"><span>}   </span></li>
<li><span>@set_magic_quotes_runtime(0);   </span></li>
<li class="alt"><span>// 判断 magic_quotes_gpc 状态   </span></li>
<li><span>if (@get_magic_quotes_gpc()) {   </span></li>
<li class="alt">
<span>$</span><span class="attribute">_GET</span><span> = </span><span class="attribute-value">stripslashes_array</span><span>($_GET);   </span>
</li>
<li>
<span>$</span><span class="attribute">_POST</span><span> = </span><span class="attribute-value">stripslashes_array</span><span>($_POST);   </span>
</li>
<li class="alt">
<span>$</span><span class="attribute">_COOKIE</span><span> = </span><span class="attribute-value">stripslashes_array</span><span>($_COOKIE);   </span>
</li>
<li><span>}  </span></li>
</ol>

Remove the escape of magic_quotes_gpc and then use the addslashes function, the code is as follows:

PHP to prevent SQL injection Code

$keywords = addslashes($keywords);
$keywords = str_replace("_","_",$keywords);//Escape "_"
$keywords = str_replace("%","%",$keywords);//Escape "%"

The purpose of the last two str_replace substitutions is to prevent hackers from converting SQL encoding to attack. >

b. Mandatory character format (type)

In many cases we need to use something like xxx.php?id=xxx URL, generally $id is an integer variable. In order to prevent attackers from tampering with $id into attack statements, we must try to force the variable. The code is as follows:

PHP code to prevent SQL injection

$id=intval($_GET['id']);

Of course, there are other variable types. If necessary, try to force the format

<.>

c. SQL statements contain variables with quotes

This is very simple, but it is also easy to form a habit. Let’s take a look at these two SQLs first. Statement:

SQL code

SELECT * FROM article WHERE articleid='$id'

SELECT * FROM article WHERE articleid=$id

The two writing methods are in each They are common in both programs, but the security is different. In the first sentence, the variable $id is placed in a pair of single quotes, which makes the variables we submit become strings, even if the correct SQL is included. statement will not be executed normally, but the second sentence is different. Since the variables are not put in single quotes, everything we submit will be executed as an SQL statement as long as it contains spaces. Therefore, we have to Get into the habit of quoting variables in SQL statements.

d. URL pseudo-static

URL pseudo-static is also a URL rewriting technology, like Discuz! Similarly, it is a good idea to rewrite all URLs into a format similar to xxx-xxx-x.html, which is beneficial to SEO and achieves a certain level of security. But in order to prevent SQL injection in PHP, the premise is that you must have a certain "regular" foundation.

http://www.bkjia.com/PHPjc/446121.html

www.bkjia.comtruehttp: //www.bkjia.com/PHPjc/446121.htmlTechArticleWhen it comes to website security, you have to mention SQL Injection (SQL Injection). If you have used ASP , you must have a deep understanding of SQL injection. PHP has relatively high security. This is...