Home >Backend Development >PHP Tutorial >Detailed analysis of PHP injection prevention and development security_PHP tutorial
1. Basic principles of PHP injection
The level and experience of programmers also vary. A considerable number of programmers do not understand the user when writing code. The legality of the input data is judged, which makes the application a security risk. The user can submit a database query code and obtain some data he wants to know based on the results returned by the program. This is the so-called SQL Injection, that is, SQL injection. Affected systems: Systems that do not check and filter input parameters.
SQL injection process
Normally speaking, we receive some Necessary parameters such as:
In the page we will use 2 to write into the SQL statement
Normal situation: Select * From Table where id=2
bkJia.php?id=2
If we are familiar with SQL statements, we know that 2 can be replaced with the SQL statement we need
For example: and exists (select id from admin)
2. Several ways to prevent injection
In fact, it turns out that we need to filter some of our common keywords and matches such as:
Select, insert, update , delete, and, *, etc.
Example:
3. Security settings in other places in PHP
register_globals = Off Set to closed state
Try not to omit small quotes and single quotes when writing SQL statements
Use $_POST $_GET $_SESSION correctly to accept parameters and filter them