Home >Backend Development >PHP Tutorial >Introduction to php functions to prevent sql injection
A few days ago, people were injected into the website. Now I will introduce to you several built-in processing functions of PHP to prevent SQL injection. For example, PHP's MySQL operation functions include addslashes(), mysql_real_escape_string(), mysql_escape_string() and other functions.
Specific usage: addslashes prevent SQL injection
Although many domestic PHP programmers still rely on addslashes to prevent SQL injection, it is still recommended that everyone strengthen the check to prevent SQL injection in Chinese. The problem with addslashes is that hackers can use 0xbf27 to replace single quotes, while addslashes only changes 0xbf27 to 0xbf5c27, which becomes a valid multi-byte character. 0xbf5c is still regarded as a single quote, so addslashes cannot successfully intercept.
Of course, addslashes is not useless. It is used for processing single-byte strings. For multi-byte characters, use mysql_real_escape_string.
In addition, for the example of get_magic_quotes_gpc in the PHP manual, the code is as follows:
Function post_check($post) {
$post = addslashes($post); // Correct the case where magic_quotes_gpc is not turned on Filtering of submitted data } $post = str_replace("_", "_", $post); // Filter out '_' $post = str_replace("%", "%", $ post); // Filter out ' % ' }//Open source code phpfensi.com ?> //Or function inject_check($sql_str) { . . . '| Function verify_id($id=null) { (inject_check($id) ) { exit('The submitted parameters are illegal! ');} // Injecting judgment Elseif (! IS_NUMERIC ($ ID)) {exit (' The parameters submitted illegal! ');} // Digital judgment $ ID = intval ($ ID); // Tolerance Typed Escape special characters in unescaped_string, taking into account the connection's current character set, so it can be safely used in mysql_query().Note: mysql_real_escape_string() does not escape % and _.mysql_real_escape_string,Example#1 mysql_real_escape_string() example, the code is as follows: $item = "Zak's and Derick's Laptop" ; $escaped_item = mysql_real_escape_string ( $item ); printf ( "Escaped string: %sn" , $escaped_item ); ?& gt; //Above examples The following output will be produced: //Escaped string: Zak's and Derick's Laptop mysql_escape_stringThis function escapes unescaped_string so that it can be safely used in mysql_query().
Note: mysql_escape_string() does not escape % and _. This function is exactly the same as mysql_real_escape_string(), except that mysql_real_escape_string() accepts a connection handle and transfers the string according to the current character set. mysql_escape_string() does not accept connection parameters and does not care about the current character set setting.
Example 1. mysql_escape_string() example, the code is as follows:
$item = "Zak's Laptop";
$escaped_item = mysql_escape_string($item);
printf ("Escaped string: %sn", $escaped_item);
?>
//Output:
//Escaped string: Zak's Laptop
mysql_ real_escape_string and mysql_escape_string these 2 The difference between the two functions:
mysql_real_escape_string must be used under (PHP 4 >= 4.3.0, PHP 5), otherwise mysql_escape_string can only be used. The difference between the two is: mysql_real_escape_string takes into account the current character set of the connection, And mysql_escape_string is not considered.
We can use judgment to process it comprehensively. The code is as follows:
function cleanuserinput($dirty){
if (get_magic_quotes_gpc()) {
$clean = mysql_real_escape_string(stripslashes($dirty)) ;
}else{
$clean = mysql_real_escape_string($dirty);
}
return $clean;
}
To summarize: * addslashes() is a forced addition; () will determine the character set, However, there are requirements for the PHP version; * mysql_escape_string does not consider the current character set of the connection.