The most complete way to prevent SQL injection

(1) mysql_real_escape_string -- Escape special characters in strings used in SQL statements, taking into account the current character set of the connection

Used as follows:

?

1 2 3

$sql= "select count(*) asctr from users where username ='".mysql_real_escape_string($username)."'and password='". mysql_real_escape_string($pw)."'limit 1";

Use

mysql_real_escape_string()

as a wrapper around user input to avoid any malicious SQL injection in user input.

(2) Turn on magic_quotes_gpc to prevent SQL injection

There is a setting in php.ini: magic_quotes_gpc = Off

　 This is turned off by default. If it is turned on, it will automatically convert the SQL query submitted by the user,

For example, converting ' to ', etc., plays a significant role in preventing sql injection.

If magic_quotes_gpc=Off, use the addslashes() function

(3) Custom function

?

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40

function inject_check($sql_str) {   returneregi('select|insert|and|or|update|delete|'|/*|*|../|./|union|into|load_file|outfile ', $sql_str); } functionverify_id($id=null) {   if(!$id) {                                                                                                                                                                                                     } elseif (inject_check( $id)) {                                                                                                                                               elseif(! is_numeric ($id)) {                                                                                                                                                                        } $id= intval( $id ); return $id; } functionstr_check( $str) { if (!get_magic_quotes_gpc()) {$ $ Str = Addslashhes ( $ Str ); // Filter } $str= str_replace ( "_", "_", $str); $str = str_replace ( "%", "%", $str); return $str ; } functionpost_check($post) {   if (!get_magic_quotes_gpc()) {                                                                                                             $post= str_replace ( "_" , "_", $post ); $post = str_replace("%", "%", $post ); $post = nl2br($post); $post= htmlspecialchars($post);                                                                                                                                                               } The above has introduced the most complete method to prevent SQL injection, including all aspects. I hope it will be helpful to friends who are interested in PHP tutorials.