How to prevent sql injection

Methods to prevent sql injection: 1. Turn on settings such as "magic_quotes_gpc" in the configuration file; 2. Use addslashes to convert sql statements when executing sql statements; 3. Try not to omit double quotes and single quotes when writing Sql statements. Quotation marks; 4. Filter out some keywords in sql statements; 5. Improve database naming skills, etc.

Ways to prevent SQL injection are: use addslashes to convert the SQL statement when executing the SQL statement, filter out some keywords in the SQL statement, and improve the database table and Field naming techniques, etc.

Causes of SQL injection

During the program development process, you did not pay attention to standard writing of SQL statements and filtering of special characters, which caused the client to pass global variables POST and GET Submit some sql statements for normal execution.

How to prevent SQL injection

1. Turn on the magic_quotes_gpc and magic_quotes_runtime settings in the configuration file

2. Use addslashes for sql when executing sql statements Statement conversion

3. When writing Sql statements, try not to omit double quotes and single quotes.

4. Filter out some keywords in the sql statement: update, insert, delete, select, *.

5. Improve the naming skills of database tables and fields. Name some important fields according to the characteristics of the program and choose ones that are difficult to guess.

6. Set register_globals to off in the Php configuration file and turn off global variable registration.

7. Control error messages. Do not output error messages on the browser and write error messages to the log file. .

8. You can use the waf protection system for protection.

The above is the detailed content of How to prevent sql injection. For more information, please follow other related articles on the PHP Chinese website!