Introduction to the Principle of Preventing SQL Injection in PHP_PHP Tutorial

WBOY
Release: 2016-07-13 17:10:48
Original
1210 people have browsed it

Although many domestic PHP programmers still rely on addslashes to prevent SQL injection, it is recommended that everyone strengthen checks to prevent SQL injection in Chinese. The problem with addslashes is that hackers can use 0xbf27 instead of single quotes, while addslashes only changes 0xbf27 to 0xbf5c27, which becomes a valid multi-byte character. 0xbf5c is still regarded as a single quote, so addslashes cannot successfully intercept.

Of course, addslashes is not useless. It is used for processing single-byte strings. For multi-byte characters, use mysql_real_escape_string.

Turn on magic_quotes_gpc to prevent SQL injection

There is a setting in php.ini: magic_quotes_gpc = Off
This is turned off by default. If it is turned on, it will automatically convert the SQL query submitted by the user,
For example, converting ' to ', etc., plays a significant role in preventing SQL injection.

If magic_quotes_gpc=Off, use the addslashes() function

In addition, for the example of get_magic_quotes_gpc in the php manual:

The code is as follows Copy code
 代码如下 复制代码

if (!get_magic_quotes_gpc()) {

  $lastname = addslashes($_POST[‘lastname’]);

  } else {

  $lastname = $_POST[‘lastname’];

}

if (!get_magic_quotes_gpc()) {

$lastname = addslashes($_POST[‘lastname’]);

 } else {

$lastname = $_POST[‘lastname’];

}

It is best to check $_POST[’lastname’] when magic_quotes_gpc is already open.
 代码如下 复制代码

$sql = "select count(*) as ctr from users where username02.='".mysql_real_escape_string($username)."' and 03.password='". mysql_real_escape_string($pw)."' limit 1";

Let’s talk about the difference between the two functions mysql_real_escape_string and mysql_escape_string: mysql_real_escape_string can only be used under (PHP 4 >= 4.3.0, PHP 5). Otherwise, you can only use mysql_escape_string. The difference between the two is: mysql_real_escape_string takes into account the current character set of the connection, while mysql_escape_string does not. (1) mysql_real_escape_string -- Escape special characters in strings used in SQL statements, taking into account the current character set of the connection How to use it:
The code is as follows Copy code
$sql = "select count(*) as ctr from users where username02.='".mysql_real_escape_string($username)."' and 03.password='". mysql_real_escape_string($pw)."' limit 1" ;


Custom function

} elseif(inject_check($id)) { exit('The submitted parameters are illegal!');

The code is as follows
 代码如下 复制代码


function inject_check($sql_str) {
    return eregi('select|insert|and|or|update|delete|'|/*|*|../|./|union|into|load_file|outfile', $sql_str);
}
 
function verify_id($id=null) {
    if(!$id) {
        exit('没有提交参数!');
    } elseif(inject_check($id)) {
        exit('提交的参数非法!');
    } elseif(!is_numeric($id)) {
        exit('提交的参数非法!');
    }
    $id = intval($id);
    
    return $id;
}
 
 
function str_check( $str ) {
    if(!get_magic_quotes_gpc()) {
        $str = addslashes($str); // 进行过滤
    }
    $str = str_replace("_", "_", $str);
    $str = str_replace("%", "%", $str);
    
   return $str;
}
 
 
function post_check($post) {
    if(!get_magic_quotes_gpc()) {
        $post = addslashes($post);
    }
    $post = str_replace("_", "_", $post);
    $post = str_replace("%", "%", $post);
    $post = nl2br($post);
    $post = htmlspecialchars($post);
    
    return $post;
}

Copy code

function inject_check($sql_str) {

Return eregi('select|insert|and|or|update|delete|'|/*|*|../|./|union|into|load_file|outfile', $sql_str);

}


function verify_id($id=null) {
If(!$id) {

exit('No parameters submitted!');
} elseif(!is_numeric($id)) { exit('The submitted parameters are illegal!');

}

$id = intval($id); Return $id; } function str_check( $str ) { If(!get_magic_quotes_gpc()) {             $str = addslashes($str); // Filter } $str = str_replace("_", "_", $str); $str = str_replace("%", "%", $str); ​  
Return $str; }
function post_check($post) { If(!get_magic_quotes_gpc()) { $post = addslashes($post); } $post = str_replace("_", "_", $post); $post = str_replace("%", "%", $post); $post = nl2br($post); $post = htmlspecialchars($post); ​   Return $post; } To summarize: * addslashes() is a forced addition; * mysql_real_escape_string() will determine the character set, but there are requirements for the PHP version; * mysql_escape_string does not take into account the current character set of the connection. To prevent sql injection in dz, use the addslashes function, and perform some replacements in the dthmlspecialchars function $string = preg_replace(/&(((#(d{3,5}|x[a-fA-F0-9] {4}));)/, &1, This replacement solves the problem of injection and also solves some problems with Chinese garbled characters . http://www.bkjia.com/PHPjc/629626.htmlwww.bkjia.comtruehttp: //www.bkjia.com/PHPjc/629626.htmlTechArticleAlthough many domestic PHP programmers still rely on addslashes to prevent SQL injection, it is recommended that everyone strengthen checks to prevent SQL injection in Chinese . The problem with addslashes is that hackers can use 0xbf27 instead...
source:php.cn
Statement of this Website
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn
Popular Tutorials
More>
Latest Downloads
More>
Web Effects
Website Source Code
Website Materials
Front End Template