Home > Backend Development > PHP Tutorial > PHP program to prevent MySQL injection or HTML form abuse_PHP Tutorial

PHP program to prevent MySQL injection or HTML form abuse_PHP Tutorial

WBOY
Release: 2016-07-21 15:48:06
Original
799 people have browsed it

The intention of MySQL injection is to take over the website database and steal information. Common open source databases, such as MySQL, have been used by many website developers to store important information such as passwords, personal information, and administrative information.
MySQL is popular because it is used with the most popular server-side scripting language, PHP. Moreover, PHP is the main language of the Linux-Apache server that dominates the Internet. Therefore, this means that hackers can easily exploit PHP just like Windows spyware.
Hackers input large amounts of malicious code into an unsecured web form (via drop-down menus, search boxes, contact forms, query forms and checkboxes).
The malicious code will be sent to the MySQL database and then "injected". To view this process, first consider the following basic MySQL SELECT query statement:
SELECT * FROM xmen WHERE username = 'wolverine'
This query will ask the database with the "xmen" table to return a certain user name in MySQL Data for "wolverine".
In the web form, the user will enter wolverine and then this data will be passed to the MySQL query.
If the input is invalid, there are other ways for hackers to take control of the database, such as setting a username:
' OR ''=''
You might think it is safe to perform the input using normal PHP and MySQL syntax, because Whenever someone enters malicious code, they will get an "invalid query" message, but that's not the case. Hackers are smart, and because it involves database cleanup and resetting administrative privileges, any security hole is not easy to correct.
Two common misunderstandings about MySQL injection attacks are as follows:
1. Network administrators believe that malicious injections can be cleaned up with anti-virus software or anti-spyware software. The fact is that this type of infection exploits weaknesses in the MySQL database. It cannot simply be removed by any anti-spyware or antivirus program.
2. MySQL injection is caused by copying an infected file from another server or external source. This is not the case. This type of infection occurs when someone enters malicious code into an unprotected form on a website and then accesses the database. MySQL injection can be cleaned up by removing the malicious script, rather than using an antivirus program.
User input validation process
Back up a clean database and place it outside the server. Export a set of MySQL tables and save them on the desktop.
Then go to the server and turn off the form input temporarily. This means that the form cannot process the data and the website is shut down.
Then start the cleaning process. First, on your server, clean up any remaining messy MySQL injections. Change all database, FTP and website passwords.
In the worst case scenario, if you are late cleaning up, you can double check for hidden programs running on your server. These hidden programs are Trojans installed by hackers. Remove it completely and change all FTP permissions. Scan the server for all Trojans and malware.
When you modify the PHP script program, the form data will be processed. A good way to prevent MySQL injection is to not even trust user data. User input validation is very important to prevent MySQL injection.
Design a filter to filter out user input. Here are a few tips:
1. The input to the form is numbers. You can verify that it is a number by testing that it is equal to or greater than 0.001 (assuming you don't accept a zero).
2. If it is an email address. Verify that it consists of allowed character combinations like "@", A-Z, a-z or some numbers.
3. If it is a person’s name or user name. It can be verified by whether it contains any illegal characters, such as and and *, which are malicious characters that can be used for SQL injection.
Verify numeric input
The following script validates whether a valid number from 0.001 to infinity is entered. It is worth mentioning that in a PHP program, you can even allow the use of numbers within a certain range. Use this validation script to ensure that only a number is entered into the form.
Suppose there are three numeric variables in the program; you need to verify them, we name them num1, num2 and num3:

Copy code Code As follows:

//Validate numerical input
 if($_POST['num1'] >= 0.001 && $_POST['num2'] >= 0.001 && $_POST['num3 '] >= 0.001)
 {
 }
else
 {
 }
 ?>

And the condition can be extended to accommodate More than three digits. So if you have 10, you will only need to expand the AND statement.
This can be used to validate a form that only accepts numbers, such as contract quantities, license numbers, phone numbers, etc.
Validate text and email address inputs
The following can be used to validate form inputs such as usernames, first names, and email addresses:
Copy code The code is as follows:

//Validate text input
 if (! preg_match('/^[-a-z.-@,'s]*$/i',$_POST['name ']))
 {
 }
else
if ($empty==0)
{
 }
else
{
 }
?>

One advantage of this validation script is that it does not accept blank input. Some malicious users also manipulate databases through blank inputs. Using the script above, only validate one literal variable, "$name". This means that if you have three text variables, you can set up a validation script for each variable to ensure that each variable passes the review before entering the database.

www.bkjia.comtruehttp: //www.bkjia.com/PHPjc/319809.htmlTechArticleThe intention of MySQL injection is to take over the website database and steal information. Common open source databases, such as MySQL, have been used by many website developers to store important information, such as passwords, personal information...
source:php.cn
Statement of this Website
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn
Popular Tutorials
More>
Latest Downloads
More>
Web Effects
Website Source Code
Website Materials
Front End Template