Home >Backend Development >PHP Tutorial >Use PHP functions to solve SQL injection_PHP tutorial

Use PHP functions to solve SQL injection_PHP tutorial

WBOY
WBOYOriginal
2016-07-21 16:09:201022browse

The issue of SQL injection has caused quite a stir in ASP. Of course, many well-known PHP programs at home and abroad have also been "disastered". As for the details of SQL injection, there are too many articles on the Internet, so I won’t introduce them here.
If magic_quotes_gpc in the php.ini file of your website space is set to off, then PHP will not add a backslash () before sensitive characters, because the content submitted by the form may contain sensitive characters, such as single quotes. ('), leading to SQL injection vulnerabilities. In this case, we can solve the problem with addslashes(), which automatically adds a backslash before sensitive characters.
However, the above method is only applicable when magic_quotes_gpc=Off. As a developer, you don't know whether each user's magic_quotes_gpc is On or Off. If all data is used with addslashes(), isn't that "killing innocent people indiscriminately"? If magic_quotes_gpc=On, and the addslashes() function is used, let's take a look: //If a variable $_POST['message'] is submitted from the form, the content is Tom's book
//Here is the code to connect to the MySQL database, write it yourself
//Add a backslash before the sensitive character of $_POST['message']
$_POST['message'] = addslashes( $_POST['message']);

//Since magic_quotes_gpc=On, add a backslash before sensitive characters again
$sql = "INSERT INTO msg_table VALUE('$_POST[message ]');";

//Send a request and save the content to the database
$query = mysql_query($sql);

//If you extract it from the database If you record and output this, you will see Tom's book
?>

In this case, in the environment where magic_quotes_gpc=On, all input single quotes (') will become (')...
In fact, we can easily solve this problem using the get_magic_quotes_gpc() function. When magic_quotes_gpc=On, this function returns TRUE; when magic_quotes_gpc=Off, it returns FALSE. At this point, many people must have realized that the problem has been solved. Please look at the code: //If magic_quotes_gpc=Off, then add backslashes to the sensitive characters in $_POST['message'] submitted in the bill of lading
//If magic_quotes_gpc=On , then do not add
if (!get_magic_quotes_gpc()) {
$_POST['message'] = addslashes($_POST['message']);
} else {}
?>
Actually, at this point, the problem has been solved. Here’s another little trick.
Sometimes there is more than one variable submitted in the form, there may be dozens or dozens. So is it a little troublesome to copy/paste addslashes() again and again? Since the data obtained from the form or URL appears in the form of an array, such as $_POST, $_GET), then customize a function that can "sweep the army": function quotes($content )
{
//If magic_quotes_gpc=Off, then start processing
if (!get_magic_quotes_gpc()) {
//Determine whether $content is an array
if (is_array($content )) {
//If $content is an array, then process each of its elements
foreach ($content as $key=>$value) {
$content[$key] = addslashes($value);
}
} else {
//If $content is not an array, then it will only be processed once
addslashes($content);
}
} else {
//If magic_quotes_gpc=On, then it will not be processed
}
//Return $content
return $content;
}
?>


www.bkjia.comtruehttp: //www.bkjia.com/PHPjc/314550.htmlTechArticleSQL injection issue has caused quite a stir in ASP. Of course, many well-known PHP programs at home and abroad have been "disasterd" ". As for the details of SQL injection, there are too many articles on the Internet, so here...
Statement:
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn