Home  >  Article  >  Backend Development  >  The most complete way to prevent SQL injection

The most complete way to prevent SQL injection

WBOY
WBOYOriginal
2016-07-29 08:56:111486browse
(1) mysql_real_escape_string -- Escape special characters in strings used in SQL statements, taking into account the current character set of the connection

Used as follows:

?

1

2

3

$sql= "select count(*) asctr from users where username

='".mysql_real_escape_string($username)."'and

password='". mysql_real_escape_string($pw)."'limit 1";

Use

mysql_real_escape_string()

as a wrapper around user input to avoid any malicious SQL injection in user input.

(2) Turn on magic_quotes_gpc to prevent SQL injection

There is a setting in php.ini: magic_quotes_gpc = Off

  This is turned off by default. If it is turned on, it will automatically convert the SQL query submitted by the user,

For example, converting ' to ', etc., plays a significant role in preventing sql injection.

If magic_quotes_gpc=Off, use the addslashes() function

(3) Custom function

?

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

function inject_check($sql_str) {

returneregi('select|insert|and|or|update|delete|'|/*|*|../|./|union|into|load_file|outfile ', $sql_str);

}

functionverify_id($id=null) {

if(!$id) {

                                                                                                                                                                                                    } elseif

(inject_check(

$id)) {                                                                                                                                               elseif(!

is_numeric

($id)) {                                                                                                                                                                       

} $id= intval(

$id

);

return

$id;

} functionstr_check( $str) {

if

(!get_magic_quotes_gpc()) {$

$ Str = Addslashhes (

$ Str

);

// Filter

}

$str= str_replace

(

"_", "_", $str);

$str

= str_replace

(

"%", "%", $str); return

$str

; } functionpost_check($post) { if

(!get_magic_quotes_gpc()) {

                                                                                                           

$post=

str_replace

(

"_"

, "_", $post

);

$post

=

str_replace("%", "%", $post

);

$post

= nl2br($post); $post= htmlspecialchars($post);

                                                                                                                                                             

}

The above has introduced the most complete method to prevent SQL injection, including all aspects. I hope it will be helpful to friends who are interested in PHP tutorials.

Statement:
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn