In addition to being able to write code smoothly, an excellent PHP programmer also needs to have the ability to keep the program in a safe environment. Today we are going to explain to you how to prevent SQL injection in PHP.
When it comes to website security, we have to mention SQL Injection. If you have used ASP, you must have a deep understanding of SQL injection. PHP has relatively high security. This is because versions below MYSQL4 Substatements are not supported and when magic_quotes_gpc in php.ini is On.
All ' (single quotes), " (double quotes), (backslashes) and null characters in the submitted variables will be automatically converted into escape characters containing backslashes, which will bring a lot of trouble to SQL injection. Trouble.
Please see clearly: It’s just “troublesome”~ This does not mean that PHP prevents SQL injection. The book talks about how to bypass escaping by changing the encoding of the injected statement, such as converting the SQL statement into ASCII encoding ( Similar to: char (100,58,92,108,111,99,97,108,104,111,115,116...) format), or converted to hexadecimal encoding, or even other forms of encoding, so that the escape filtering is bypassed, so what? What about precautions:
a. Open magic_quotes_gpc or use addslashes() function
In the new version of PHP, even if magic_quotes_gpc is turned on, there will be no conflict when using the addslashes() function. However, in order to achieve better version compatibility, it is recommended to check the magic_quotes_gpc status before using the transfer function, or directly Turn it off, the code is as follows:
PHP code to prevent SQL injection
Remove the escaping of magic_quotes_gpc and then use the addslashes function. The code is as follows:
PHP code to prevent SQL injection
The purpose of the last two str_replace replacement escapes is to prevent hackers from converting SQL encoding for attacks.
b. Force character format (type)
In many cases we need to use URLs like xxx.php?id=xxx. Generally speaking, $id is an integer variable. In order to prevent attackers from tampering with $id into attack statements, we must try to force the variable , the code is as follows:
PHP code to prevent SQL injection
$id=intval($_GET['id']);
Of course, there are other variable types, try to force the format if necessary.
c. The SQL statement contains variables with quotes
This is very simple, but it is also easy to form a habit. Let’s take a look at these two SQL statements first:
SQL code
Both writing methods are common in various programs, but the security is different. The first sentence puts the variable $id in a pair of single quotes, which makes the variables we submit become characters. The string, even if it contains the correct SQL statement, will not be executed normally. The second sentence is different. Since the variables are not put in single quotes, everything we submit, as long as it contains spaces, the variables after the spaces will be used as SQL statements are executed, so we need to develop the habit of adding quotes to variables in SQL statements.
d.URL pseudo-static
URL pseudo-static is URL rewriting technology, like Discuz! Similarly, it is a good idea to rewrite all URLs into a format similar to xxx-xxx-x.html, which is beneficial to SEO and achieves a certain level of security. But in order to prevent SQL injection in PHP, the premise is that you must have a certain "regular" foundation.