Home >Backend Development >PHP Tutorial >Detailed analysis of PHP injection prevention and development security_PHP tutorial

Detailed analysis of PHP injection prevention and development security_PHP tutorial

WBOY
WBOYOriginal
2016-07-21 14:59:571075browse

1. Basic principles of PHP injection
The level and experience of programmers also vary. A considerable number of programmers do not understand the user when writing code. The legality of the input data is judged, which makes the application a security risk. The user can submit a database query code and obtain some data he wants to know based on the results returned by the program. This is the so-called SQL Injection, that is, SQL injection. Affected systems: Systems that do not check and filter input parameters.

SQL injection process
Normally speaking, we receive some Necessary parameters such as:
In the page we will use 2 to write into the SQL statement
Normal situation: Select * From Table where id=2

bkJia.php?id=2
If we are familiar with SQL statements, we know that 2 can be replaced with the SQL statement we need
For example: and exists (select id from admin)

2. Several ways to prevent injection
In fact, it turns out that we need to filter some of our common keywords and matches such as:
Select, insert, update , delete, and, *, etc.
Example:

Copy code The code is as follows:

function inject_check($ sql_str) {
return preg_match('/select|insert|update|delete|/'|///*|/*|/././/|/.//|union|into|load_file|outfile/ i', $sql_str); // Filter
}

or filter special symbols between system functions
Addslashes (content that needs to be filtered)

3. Security settings in other places in PHP
register_globals = Off Set to closed state
Try not to omit small quotes and single quotes when writing SQL statements

Copy code The code is as follows:

Select * From Table Where id=2 (non-standard)
Select * From ·Table· Where ·id·='2' (standard)

Improve database naming skills. Some important fields can be named according to program characteristics
Encapsulate common methods to avoid directly exposing SQL statements

Use $_POST $_GET $_SESSION correctly to accept parameters and filter them

www.bkjia.comtruehttp: //www.bkjia.com/PHPjc/328123.htmlTechArticle1. The basic principles of PHP injection. The level and experience of programmers also vary. A large number of programmers are When writing code, there is no judgment on the legality of user input data...
Statement:
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn