Home >Backend Development >PHP Tutorial >Preventing sql injection in PHP

Preventing sql injection in PHP

WBOY
WBOYOriginal
2016-07-29 08:57:12922browse

SQL injection is generally caused by irregular and loose grammar. The problem occurs in the SQL statement, and the decisive one is quote(’). As follows:
$sql = "delete from table where id ='$id'" ;
Normal submission means deleting a piece of data. If the id submitted is (1 ’ or 1 #), then the sql statement becomes
delete from table where id = '1'or 1 #';
In this case, the entire table will be deleted, causing irreversible results.
Since the problem occurs on quote, just escape it (')

  • php provides two functions to use
<code>addslashes(<span>$str</span>)
<span>//建议使用下面的,可以避免出现字符集问题</span>
mysql_real_escape_string(<span>$str</span>,<span>$link</span>)</code>
<code><span>//避免整型数据可能不被sql增加引号,强制在转换后的数据使用引号包裹</span><span><span>function</span><span>(<span>$str</span>)</span>{</span><span>return</span><span>"'"</span>.mysql_real_escape_string(<span>$str</span>,<span>$this</span>->link).<span>"'"</span>;
}</code>
').addClass('pre-numbering').hide(); $(this).addClass('has-numbering').parent().append($numbering); for (i = 1; i ').text(i)); }; $numbering.fadeIn(1700); }); });

The above has introduced the prevention of SQL injection in PHP, including aspects of it. I hope it will be helpful to friends who are interested in PHP tutorials.

Statement:
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn