PHP防注入求教?
目前我知道的sql攻击是填入了大量的 '%这样的特殊字符来实现的,如果我是登陆界面想要防sql攻击,
我知道用户名和密码不会出现特殊字符,我使用正则匹配,只要出现了特殊字符我直接就将其打死,这样处理好吗?
还有,addslashes 一般做什么用的啊?麻烦高手多分享下防注入这些,小白知道的太少了。
主要是以下不是很清楚:
magic_quotes_gpc=off
magic_quotes_gpc=on
addslashes()
stripslashes()
str_replace();
如果不是登陆、搜索等入口页面,平时php页面正常的dql语句应该不用考虑注入问题吧。
回复讨论(解决方案)
// 适用各个 PHP 版本的用法if (get_magic_quotes_gpc()) { $lastname = stripslashes($_POST['lastname']);}else { $lastname = $_POST['lastname'];}// 如果使用 MySQL$lastname = mysql_real_escape_string($lastname);echo $lastname; // O\'reilly$sql = "INSERT INTO lastnames (lastname) VALUES ('$lastname')";
// 适用各个 PHP 版本的用法if (get_magic_quotes_gpc()) { $lastname = stripslashes($_POST['lastname']);}else { $lastname = $_POST['lastname'];}// 如果使用 MySQL$lastname = mysql_real_escape_string($lastname);echo $lastname; // O\'reilly$sql = "INSERT INTO lastnames (lastname) VALUES ('$lastname')";你这个应该是经验哦,实际开发中,好用不?
好用不好用,自己用了才知道。
好用不好用,自己用了才知道。
我想问一下,你上面的写法两个问题:
1.好像说的是如果magic_quotes_gpc开启了,含有 特殊字符的sql会顺利加入mysql,加入的时候不再需要addslashes(),取值的时候也不需要stripslashes(),因为系统已经处理了,你上面好像还处理了一下,是这样的么?
if (get_magic_quotes_gpc()) { //如果 magic_quotes_gpc开启了,则会影响 post、get、cookie 请求的数据,单/双引号、反斜杠会在前面自动加上反斜杠,因此要先用stripslashes去掉反斜杠以免出现双重转义 $lastname = stripslashes($_POST['lastname']);}else { //否则取原数据 $lastname = $_POST['lastname'];}
if (get_magic_quotes_gpc()) { //如果 magic_quotes_gpc开启了,则会影响 post、get、cookie 请求的数据,单/双引号、反斜杠会在前面自动加上反斜杠,因此要先用stripslashes去掉反斜杠以免出现双重转义 $lastname = stripslashes($_POST['lastname']);}else { //否则取原数据 $lastname = $_POST['lastname'];}先感谢,我现在意识到有两层意思:
1.特殊字符能不能正常被mysql执行,和转义有关。
2.能被mysql执行,但是会出现恶意特殊字符让mysql执行注入。
不知道对不对,对于mysql注入,应该是利用了mysql能够识别并执行一些特殊字符,但是出现了恶意的执行结果是吧?
magic_quotes_gpc 开关
php 5.3 默认关闭
php 5.4 已取消
判断 get_magic_quotes_gpc() 的返回,已是远古的事情了
只要sql语句书写规范,就没有问题。例如不要使用字符串连接,而是使用代入。正确地使用引号。使用PDO。
绝对安全是不可能的。与成本有很大关系。
Hot AI Tools
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Undress AI Tool
Undress images for free
Clothoff.io
AI clothes remover
AI Hentai Generator
Generate AI Hentai for free.
Hot Article
Hot Tools
Notepad++7.3.1
Easy-to-use and free code editor
SublimeText3 Chinese version
Chinese version, very easy to use
Zend Studio 13.0.1
Powerful PHP integrated development environment
Dreamweaver CS6
Visual web development tools
SublimeText3 Mac version
God-level code editing software (SublimeText3)
Hot Topics
Working with Flash Session Data in Laravel
Mar 12, 2025 pm 05:08 PM
Laravel simplifies handling temporary session data using its intuitive flash methods. This is perfect for displaying brief messages, alerts, or notifications within your application. Data persists only for the subsequent request by default: $request-
cURL in PHP: How to Use the PHP cURL Extension in REST APIs
Mar 14, 2025 am 11:42 AM
The PHP Client URL (cURL) extension is a powerful tool for developers, enabling seamless interaction with remote servers and REST APIs. By leveraging libcurl, a well-respected multi-protocol file transfer library, PHP cURL facilitates efficient execution of various network protocols, including HTTP, HTTPS, and FTP. This extension offers granular control over HTTP requests, supports multiple concurrent operations, and provides built-in security features.
Simplified HTTP Response Mocking in Laravel Tests
Mar 12, 2025 pm 05:09 PM
Laravel provides concise HTTP response simulation syntax, simplifying HTTP interaction testing. This approach significantly reduces code redundancy while making your test simulation more intuitive. The basic implementation provides a variety of response type shortcuts: use Illuminate\Support\Facades\Http; Http::fake([ 'google.com' => 'Hello World', 'github.com' => ['foo' => 'bar'], 'forge.laravel.com' =>
12 Best PHP Chat Scripts on CodeCanyon
Mar 13, 2025 pm 12:08 PM
Do you want to provide real-time, instant solutions to your customers' most pressing problems? Live chat lets you have real-time conversations with customers and resolve their problems instantly. It allows you to provide faster service to your custom
Explain the concept of late static binding in PHP.
Mar 21, 2025 pm 01:33 PM
Article discusses late static binding (LSB) in PHP, introduced in PHP 5.3, allowing runtime resolution of static method calls for more flexible inheritance.Main issue: LSB vs. traditional polymorphism; LSB's practical applications and potential perfo
PHP Logging: Best Practices for PHP Log Analysis
Mar 10, 2025 pm 02:32 PM
PHP logging is essential for monitoring and debugging web applications, as well as capturing critical events, errors, and runtime behavior. It provides valuable insights into system performance, helps identify issues, and supports faster troubleshoot
HTTP Method Verification in Laravel
Mar 05, 2025 pm 04:14 PM
Laravel simplifies HTTP verb handling in incoming requests, streamlining diverse operation management within your applications. The method() and isMethod() methods efficiently identify and validate request types. This feature is crucial for building
Discover File Downloads in Laravel with Storage::download
Mar 06, 2025 am 02:22 AM
The Storage::download method of the Laravel framework provides a concise API for safely handling file downloads while managing abstractions of file storage. Here is an example of using Storage::download() in the example controller:
