Database security for beginners in PHP
1.Prevent sql injection
The so-called SQL injection is to insert SQL commands into Web forms to submit or enter query strings for domain names or page requests. , and ultimately trick the server into executing malicious SQL commands.
We should never trust user input. We must assume that the data entered by the user is not safe. We all need to filter the data entered by the user.
For example, to register, the user needs to fill in Username, password, etc.
When we receive this data, we will judge it first. The first is the front-end page. We can use js to judge. If it is not legal in the front, then we have to go there again. After everything is filled in and is legal, the information we receive, such as the user name, has been registered. We need to query the database and judge it based on the user name information submitted in the form. If it exists, then registration is not allowed. We can also Use regular expressions to control its format. For example, it can only be Chinese or English, and it cannot exceed a few characters. Wait
We can also filter the data submitted by the form
To prevent SQL injection, we need to pay attention to the following points:
· 1 .Never trust user input. To verify the user's input, you can use regular expressions or limit the length; convert single quotes and double "-", etc.
· 2. Never use dynamic assembly of sql. You can use parameterized sql or directly use stored procedures for data query and access.
· 3. Never use a database connection with administrator privileges. Use a separate database connection with limited privileges for each application.
· 4. Do not store confidential information directly, encrypt or hash passwords and sensitive information.
· 5. The application's exception information should give as few hints as possible. It is best to use custom error information to wrap the original error message
· 6. Detection method of sql injection Generally, auxiliary software or website platforms are used for detection. The software generally uses the SQL injection detection tool jsky, and the website platform has the Yisi website security platform detection tool. MDCSOFT SCAN etc. Using MDCSOFT-IPS can effectively defend against SQL injection, XSS attacks, etc.
Prevent sql injection
In scripting languages, such as Perl and PHP, you can modify the data entered by the user Escape to prevent SQL injection.
PHP’s MySQL extension provides the mysql_real_escape_string() function to escape special input characters
<?php if (get_magic_quotes_gpc()) { $name = stripslashes($name); } $name = mysql_real_escape_string($name); mysql_query("SELECT * FROM users WHERE name='{$name}'"); ?>
Injection in Like statements
like when querying , if the values entered by the user include "_" and "%", this situation will occur: the user originally only wanted to query "abcd_", but the query results include "abcd_", "abcde", "abcdf", etc.; Problems will also occur when users want to query "30%" (note: thirty percent).
In PHP scripts we can use the addcslashes() function to handle the above situation, as shown in the following example:
<?php $sub = addcslashes(mysql_real_escape_string("%something_"), "%_"); // $sub == \%something\_ mysql_query("SELECT * FROM messages WHERE subject LIKE '{$sub}%'"); ?>