Home > Backend Development > PHP Tutorial > PHP effective method to prevent sql injection_PHP tutorial

PHP effective method to prevent sql injection_PHP tutorial

WBOY
Release: 2016-07-13 17:10:00
Original
848 people have browsed it

For data security and to prevent injection, the string obtained by $_GET needs to be filtered. At the beginning, I wrote the filtering function myself, and then

Let’s see a filter function that comes with the PHP tutorial, so I recommend addslashes to everyone.
An example of using addslashes() is when you are entering data into a database tutorial. For example, change the name O'reilly

is inserted into the database, which requires escaping it. Most databases use as escape character: O'reilly. This

This way you can put data into the database without inserting extra . When the PHP directive magic_quotes_sybase is

When set to on, it means that ' will be escaped when inserting '.
Example:

MySQL tutorial and PHP come with many functions that can handle character problems. Here are a few that are frequently used.
ps tutorial: Since php6 does not support magic_quotes_gpc, the following things are assumed

On the condition that magic_quotes_gpc=off (I don’t know what new things will come out in php6...)

mysql_real_escape_string()
Definition: Function escapes special characters in strings used in SQL statements.
Syntax: mysql_real_escape_string(string,connection)
Description: This function escapes special characters in string and takes into account the current character set of the connection, so it can be safely used in

mysql_query().
Since the example code is too long, a function explanation link is given


This function escapes special characters in a string and takes into account the current character set of the connection, so it is safe to use with

mysql_query().
Database attacks. This example demonstrates what happens if we don’t apply the mysql_real_escape_string() function to username and password

What happens:

$con = mysql_connect("localhost", "hello", "321");
if (!$con)
{
die('Could not connect: ' . mysql_error());
}

$sql = "SELECT * FROM users
WHERE user='{$_POST['user']}'
AND password='{$_POST['pwd']}'";
mysql_query($sql);

//Do not check username and password
// It can be anything entered by the user, such as:
$_POST['user'] = 'john';
$_POST['pwd'] = "' OR ''='";

// Some code...

mysql_close($con);
?>Then the SQL query will look like this:

SELECT * FROM users
WHERE user='john' AND password='' OR ''='' This means no user needs to enter a valid password

Login


addSlashes()
Definition: The addslashes() function adds a backslash before the specified predefined characters.
Syntax: addslashes(string)
Note: By default, the PHP directive magic_quotes_gpc is on for all GET, POST and COOKIE

Data automatically runs addslashes(). Do not use

on strings that have been escaped by magic_quotes_gpc

addslashes(), because this will cause double escaping. When encountering this situation, you can use the function

get_magic_quotes_gpc() for detection.
Since the example code is too long, a function explanation link is given
Related functions

$str = "Is your name O'reilly?";

// Output: Is your name O'reilly?
echo addslashes($str);
?>

StripSlashes() removes backslash characters

The stripslashes() function removes backslashes added by the addslashes() function.

Grammar
stripslashes(string)

echo stripslashes("Who's John Adams?");
?>

www.bkjia.comtruehttp: //www.bkjia.com/PHPjc/629711.htmlTechArticleFor data security, to prevent injection, it is necessary to filter the string obtained by $_GET. At the beginning, I wrote the filtering function myself. , and later I saw a filter function that comes with the PHP tutorial, so I added addsla...
source:php.cn
Statement of this Website
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn
Popular Tutorials
More>
Latest Downloads
More>
Web Effects
Website Source Code
Website Materials
Front End Template