Tips to prevent PHP and SQL injection attacks_PHP tutorial

Let’s talk about how SQL injection attacks are implemented and how to prevent them.

Look at this example:

Copy the code The code is as follows:

// supposed input
$ name = "ilia'; DELETE FROM users;";
mysql_query("SELECT * FROM users WHERE name='{$name}'");

It is obvious that the last command executed by the database It is:

SELECT * FROM users WHERE name=ilia; DELETE FROM users

This brings disastrous consequences to the database – all records are deleted.

But if the database you are using is MySQL, then fortunately, the mysql_query() function does not allow you to directly perform such operations (you cannot perform multiple statement operations in a single line), so you can rest assured. If the database you are using is SQLite or PostgreSQL and supports such statements, you will be facing disaster.

As mentioned above, SQL injection mainly submits unsafe data to the database to achieve attack purposes. In order to prevent SQL injection attacks, PHP comes with a function that can process the input string and perform preliminary security processing on the input at the lower level, that is, Magic Quotes. (php.ini magic_quotes_gpc). If the magic_quotes_gpc option is enabled, single quotes, double quotes, and other characters in the input string will be automatically preceded by backslashes.

But Magic Quotes is not a very universal solution, it does not block all potentially dangerous characters, and Magic Quotes is not enabled on many servers. Therefore, we also need to use various other methods to prevent SQL injection.

Many databases themselves provide this input data processing function. For example, PHP's MySQL operation function has a function called mysql_real_escape_string(), which can escape special characters and characters that may cause database operation errors.

Look at this code:

Copy the code The code is as follows:

//If the Magic Quotes function is enabled
if (get_magic_quotes_gpc()) {
$name = stripslashes($name);
}else{
$name = mysql_real_escape_string($name);
}

mysql_query("SELECT * FROM users WHERE name='{$name}'");

Note that before we use the functions of the database, we must determine whether Magic Quotes is turned on, just like the above As in the example, otherwise an error will occur if the process is repeated twice. If MQ is enabled, we have to remove the added ones to get the real data.

In addition to preprocessing the above string-form data, when storing Binary data into the database, you must also pay attention to preprocessing. Otherwise, the data may conflict with the storage format of the database itself, causing the database to crash, data records to be lost, or even the entire database to be lost. Some databases, such as PostgreSQL, provide a function pg_escape_bytea() specially used to encode binary data, which can encode the data similar to Base64.

For example:

Copy code The code is as follows:

// for plain-text data use:
pg_escape_string($regular_strings);

// for binary data use:
pg_escape_bytea($binary_data);

In another case, we should also use this mechanism. That is, multi-byte languages ​​such as Chinese, Japanese, etc. that are not supported by the database system itself. Some of them have ASCII ranges that overlap with binary data ranges.

However, encoding the data may cause query statements like LIKE abc% to fail.

http://www.bkjia.com/PHPjc/324227.htmlwww.bkjia.comtruehttp: //www.bkjia.com/PHPjc/324227.htmlTechArticleLet’s talk about how SQL injection attacks are implemented and how to prevent them. Look at this example: Copy code The code is as follows: // supposed input $name = "ilia'; DELETE FROM users;"; mysql_quer...