How to prevent sql injection in php website? 【superior】

      The operational security of the website is definitely an issue that every webmaster must consider. As we all know, most hackers attack websites by using sql injection. This is what we often say ?

The most original static website is the safest. Today we will talk about the security specifications of PHP injection to prevent your website from being injected by sql.

Today’s mainstream website development language is still php, so let’s start with how to prevent sqlinjection in php website:

Phpsecurity precautions for injection Through the above process, we We can understand the principles and methods of phpinjection. Of course, we can also develop corresponding prevention methods:

The first is the security settings of the server. Here are mainly the security settings of php+mysql and Security settings for linux host . To prevent php+mysql injection, first set magic_quotes_gpc to On, display_errs to Off, if the id type, we use intval() to convert it into an integer Type, such as code:

$idintval($id);

mysql_query"*fromexamplewherearticieid'$id'";or write like this: mysql_query("SEL ECT*FROMarticleWHEREarticleid ".intval($id)."")

If it is a character type, use addslashes() to filter it, and then filter "%" and "_" such as:

$searchaddslashes($search);

$searchstr_replace(“_”,”_”,$search);

$searchstr_replace(“%”,”%”,$search);

Of course you can also add php Universal anti-injection code:

/***************************

PHPUniversal anti-injection security code

Instructions:

Determine whether the passed variables contain illegal Characters

such as $_POST, $_GET

Function:

anti-injection

****************** ********/

//Illegal characters to be filtered

$ArrFiltratearray("'",";","union");

// The url to be redirected after an error, If not filled in, the previous page will be defaulted

$StrGoUrl"";

//Whether there is a value in the array

functionFunStringExist($StrFiltrate,$ArrFiltrate){

feach($ArrFiltrateas$key>$value){

if(eregi($value,$StrFiltrate)){

returntrue;

}

}

returnfalse;

}

//merge $_POST and $_GET

if(function_exists(array_merge)){

$ArrPostAndGetarray_merge($HTTP_POST_VARS,$HTTP_GET_VARS);

}else{

feach($HTTP_POST_VARSas$key>$value){

$ ArrPostAndGet[]$value;

}

feach($HTTP_GET_VARSas$key>$value){

$ArrPostAndGet[]$value;

}

}

//Verification starts

feach($ ArrPostAndGetas$key>$value){

if(FunStringExist($value,$ArrFiltrate)){

echo"alert(/"NeeaoPrompt, illegal characters /");";

if(empty($StrGoUrl)){

echo "histy.go(-1) ;";

}else{

echo "window.location/"".$StrGoUrl."/";";

}

exit;

}

}

?>

/* **************************

Save as checkpostget.php

Then add in front of each php file include(“checkpostget.php“);That’s it

*****************************/

In addition, the administrator username and password are md5encrypted, which can effectively prevent the injection of php.

The server and mysql also need to strengthen some security precautions.

For the security settings of the linux server:

encrypt the password, use the "/usr/sbin/authconfig" tool to turn on the shadow function of the password, and encrypt passwd.

Disable access to important files, enter the linux command interface, and enter at the prompt:

#chmod600/etc/inetd.conf//Change the file attributes to 600

#chattr+I /etc /inetd.conf // Ensure that the owner of the file is root

#chattr–I /etc/inetd.conf //Restrict changes to the file

prohibit any user from passing the su command Change to rootuser

Add the following two lines:Auth sufficient /lib/security/pam_rootok.sodebug Auth required /lib/security/pam_whell.sogroupwheel

Delete all special accounts

#userdel lp etc. Delete users

#groupdellp etc. Delete groups

Prohibit unused suid/ sgid

program

#find/-typef(-perm-04000 -o–perm-02000)-execls–lg{};

Receive Brothers PHP original video tutorial CD for free, please contact the official website customer service for details:

http://www.lampbrother.net