Home > Article > Backend Development > PHP and SQL injection attacks [3]_PHP tutorial
PHP and SQL injection attacks [3]_PHP tutorial
- WBOYOriginal
- 2016-07-21 15:55:03882browse
I’m too busy these days, so I’ll continue the series haha, and try to finish it in half a month.
The above mentioned the unsafe input filtering function that comes with the database, but this function is not available in all databases. At present, probably only MySQL, SQLite, PostgreSQL, and Sybase have such a function, but many databases including Oracle and SQL Server do not.
In view of this situation, developers generally use a common method to avoid writing unsafe data to the database-base64 encoding. This avoids all dangers caused by special characters that might cause problems. However, the data capacity after Base64 encoding will increase by about 33%, which takes up more space. In PostgreSQL, there is another problem with using Base64 encoded data, that is, you cannot use 'LIKE' query.
So to sum up, we know that relying solely on the string masking of the database itself is not enough. We need a solution to filter out dangerous characters before they affect our Query statement. Predefined queries (Prepared queries/prepared statements) are a very good method. What is a predefined query? It is equivalent to a query statement template, which defines the structure of the query statement and the data types of some parts. If the SQL statement we submit meets the definition of this template, it will be executed. Otherwise, it will not be executed and an error will be reported.
For example:
pg_query($conn, “PREPARE stmt_name (text) AS SELECT * FROM users WHERE name=$1”);
pg_query($conn, “EXECUTE stmt_name ({ $name})");
pg_query($conn, “DEALLOCATE stmt_name");
PREPARE stmt_name (text) AS .. defines the format of a query, where all characters except $1 They are all placeholders and cannot be changed. Haha, I think this method is really a good method. Unfortunately, not all databases support it. .