PHP SQL injection prevention and attack technology implementation and methods (1/4)_PHP tutorial

php tutorial sql injection prevention and attack technology implementation and methods
1. The magic_quotes_gpc option in the php configuration file php.ini is not turned on and is set to off

　2. The developer did not check and escape the data type

But in fact, the second point is the most important. I think that checking the data type entered by the user and submitting the correct data type to the mysql tutorial should be the most basic quality of a web programmer. But in reality, many novice web developers often forget this, leaving the backdoor wide open.

Why is the second point the most important? Because without the second guarantee, the magic_quotes_gpc option, whether it is on or off, may cause SQL injection attacks. Let’s take a look at the technical implementation:

1. Injection attack when magic_quotes_gpc = off
Magic_quotes_gpc = off is a very unsafe option in php. The new version of php has changed the default value to on. But there are still quite a few servers with the option off. After all, no matter how antique the server is, there are still people using it.

When magic_quotes_gpc = on, it will automatically add all '(single quotes), "(double signs), (backslashes), and whitespace characters in the submitted variables in front. The following is Official description of php:

magic_quotes_gpc boolean

sets the magic_quotes state for gpc (get/post/cookie) operations. when magic_quotes are on, all ' (single-quote), " (double quote), (backslash) and nul's are escaped with a backslash automatically

1 2 3 4

http://www.bkjia.com/PHPjc/629722.htmlwww.bkjia.comtruehttp: //www.bkjia.com/PHPjc/629722.htmlTechArticlephp tutorial sql injection prevention and attack technology implementation and methods 1. There is no magic_quotes_gpc option in the php configuration file php.ini Open, set to off 2. The developer did not modify the data type...