Home >Backend Development >PHP Tutorial >What is the purpose of addslashes() and how to prevent mysql injection in php?
1. Form data
shows the form data
2.php
has been automatically added
3.mysql data (bottom line)
is not written to mysql but there is none
4. I suspect it is hidden by the mysql software. Check the command line:
I didn’t see it either
According to the official statement
http://www.php.net/manual/zh/function.addslashes.php
An example of using addslashes() is when you are entering data into a database. For example, inserting the name O'reilly into the database requires escaping it. It is strongly recommended to use the DBMS-specific escape function (for example, mysqli_real_escape_string() for MySQL, pg_escape_string() for PostgreSQL), but if the DBMS you are using does not have an escape function and uses to escape special characters, you can use this function. Just to get the data inserted into the database, additional ones will not be inserted. When the PHP directive magic_quotes_sybase is set to on, it means that inserting ' will be escaped with '.
Question:
1. What kind of mechanism does the addsleshes() function use to prevent injection?
2. Under what circumstances is stripslashes() used?
3. Use htmlspecialchars( directly for the data submitted in the form ) is escaped and stored in the database?
4. What is the best way to prevent sql injection?
.
1. Form data
shows the form data
2.php
has been automatically added
3.mysql data (bottom line)
is not written to mysql but there is none
4. I suspect it is hidden by the mysql software. Check the command line:
I didn’t see it either
According to the official statement
http://www.php.net/manual/zh/function.addslashes.php
An example of using addslashes() is when you are entering data into a database. For example, inserting the name O'reilly into the database requires escaping it. It is strongly recommended to use the DBMS-specific escape function (for example, mysqli_real_escape_string() for MySQL, pg_escape_string() for PostgreSQL), but if the DBMS you are using does not have an escape function and uses to escape special characters, you can use this function. Just to get the data inserted into the database, additional ones will not be inserted. When the PHP directive magic_quotes_sybase is set to on, it means that inserting ' will be escaped with '.
Question:
1. What kind of mechanism does the addsleshes() function use to prevent injection?
2. Under what circumstances is stripslashes() used?
3. Use htmlspecialchars( directly for the data submitted in the form ) is escaped and stored in the database?
4. What is the best way to prevent sql injection?
.
As written in the documentation, addslashes
is to add a slash before the quotation marks of the parameters.
Like the data you printed, there is also a slash before the parameter.
But there shouldn’t be slashes in the database! How addslashes
prevent injection is to prevent injection from directly applying input parameters when we write SQL
, resulting in SQL
that can be injected.
For example$sql = "SELECT * FROM user WHERE id = '$id'";
, if the $id
parameter here is deliberately manipulated into 1' OR '1 = 1'
, then it won't work Has it become injection of SQL
?
And if you use addslashes
to add a slash, the quotation marks in $id
will be interpreted, and the wrong SQL
will not be generated. But these results will not affect data writing, because these slashes will be translated back when the data is actually inserted and updated.
Prevent SQL injection (input database):
PDO bindParam or mysqli_stmt_bind_param: avoid SQL injection.
addslashes: Use backslashes to escape all single quotes, double quotes, backslashes and NUL's to avoid SQL injection to a certain extent.
mysqli_real_escape_string: Escape special characters in SQL statements.
With bind_param, you don’t need to use addslashes, mysqli_real_escape_string, magic_quotes_gpc.
For example:
<code>PDO MySQL: //方法1(问号占位符) $stmt = $db->prepare('UPDATE posts SET post_title = ?, post_content = ? WHERE id = ?'); $stmt->execute(array($title,$content,$id)); //所有值视作PDO::PARAM_STR处理 //方法2(命名占位符) $stmt = $db->prepare('UPDATE posts SET post_title = :title, post_content = :content WHERE id = :id'); $stmt->execute(array(':title' => $title,':content' => $content,':id' => $id)); //所有值视作PDO::PARAM_STR处理 //方法3 $stmt = $db->prepare('UPDATE posts SET post_title = ?, post_content = ? WHERE id = ?'); $stmt->bindParam(1, $title, PDO::PARAM_STR); $stmt->bindParam(2, $content, PDO::PARAM_STR); $stmt->bindParam(3, $id, PDO::PARAM_INT); $stmt->execute(); //方法4 $stmt = $db->prepare('UPDATE posts SET post_title = :title, post_content = :content WHERE id = :id'); $stmt->bindParam(':title', $title, PDO::PARAM_STR); $stmt->bindParam(':content', $content, PDO::PARAM_STR); $stmt->bindParam(':id', $id, PDO::PARAM_INT); $stmt->execute(); MySQLi: //MySQLi只需执行一次bind_param,要比PDO简洁一些,MySQLi不支持命名占位符. $stmt->bind_param('ssi', $title, $content, $id);</code>
The htmlspecialchars you mentioned is to defend against XSS attacks when outputting HTML, which is different from the defense against SQL injection mentioned above.