php tutorial several ways to prevent injection
In fact, it turns out that we need to filter some of our common keywords and matches, such as:
select, insert, update, delete, and, *, etc.
Example:
function inject_check($sql_str) {
return eregi('select|insert|update|delete|'|/*|*|../|./|union|into|load_file
|outfile', $sql_str); // Filter
}
Or filter special symbols between system functions
addslashes (content that needs to be filtered)
2. PHP security settings in other places
1. register_globals = off is set to off state
2. When writing sql statements, try not to omit small quotes and single quotes
select * from table where id=2 (not standardized)
select * from ·table· where ·id·=’2’ (standard)
3. Correctly use $_post $_get $_session, etc. to accept parameters and filter them
4. Improve naming skills in database tutorials. Some important fields can be named according to program characteristics
5. Encapsulate common methods to avoid direct exposure of sql statements