PHP uses addslashes function to implement SQL injection prevention example explanation

We know that the addslashes() function adds a backslash before certain predefined characters in the input string. So how does it relate to our anti-sql injection? What is sql injection?

SQL injection attacks are the most common means used by hackers to attack websites. If your site does not use strict user input validation, it is often vulnerable to SQL injection attacks. SQL injection attacks are usually implemented by submitting bad data or query statements to the site database

, which may cause records in the database to be exposed, changed or deleted. This articlemainly introducesphp uses addslashes function to implement sql anti-injection example explanation,pass The example describes the use of addslashes function to prevent SQL injection.

Example

The parameter 'a..z' defines that all uppercase and lowercase letters are escaped, the code is as follows:

echo addcslashes('foo[ ]','a..z'); //输出：foo[ ] 
$str="is your name o'reilly?"; //定义字符串，其中包括需要转义的字符 
echo addslashes($str);  //输出经过转义的字符串

Definition And usage:

addslashes() function adds a backslash before the specified predefined characters.

These predefined characters are: single quotation mark ('), double quotation mark ("), reverse Slash(),null

Syntax:

addslashes(string)

Of course this function is safer, the example code is as follows:

$str="test"; //定义包含特殊字符的字符串 
$new=htmlspecialchars($str,ent_quotes);  //进行转换操作 
echo $new;           //输出转换结果 
//不过输出时要用到 
$str="jane & 'tarzan'";  //定义html字符串 
echo html_entity_decode($str);   //输出转换后的内容 
echo "
"; 
echo html_entity_decode($str,ent_quotes); //有可选参数输出的内容

This article is good for PHP security program design Reference value. However, there are ways to circumvent using addslashes to prevent SQL injection hackers, and it is not that safe. Many PHP programmers still rely on addslashes to prevent SQL injection.

## Enter, it is recommended that you strengthen the check to prevent SQL injection in Chinese. The problem with addslashes is that hackers can use 0xbf27 to replace single quotes, while addslashes only changes 0xbf27 to 0xbf5c27, which becomes a valid multi-byte character.

The 0xbf5c is still regarded as a single quote, so addslashes cannot successfully intercept it. Of course, addslashes is not useless, it is used for single words. Processing of section strings

php addslashes() function and stripslashes() function examples detailed explanation

Detailed examples of the difference between php stripslashes() function and addslashes() function

The above is the detailed content of PHP uses addslashes function to implement SQL injection prevention example explanation. For more information, please follow other related articles on the PHP Chinese website!