Home > Backend Development > PHP Tutorial > PHP prevent sql injection method and example code

PHP prevent sql injection method and example code

WBOY
Release: 2016-07-25 09:12:16
Original
1254 people have browsed it

PHP preventing sql injection is a very important security method.

In addition to being able to write code smoothly, an excellent PHP programmer also needs to have the ability to keep the program in a safe environment. Today we are going to explain to you how to prevent SQL injection in PHP. When it comes to website security, we have to mention sql injection. If you have used ASP, you must have a deep understanding of sql injection. The security of php is relatively high. This is because versions below mysql4 do not support subtitles. statement, and when magic_quotes_gpc in php.ini is on.

All ' (single quotes), " (double quotes), (backslashes) and null characters in the submitted variables will be automatically converted into escape characters containing backslashes, causing a lot of trouble for SQL injection. Please see clearly: It's just "trouble" ~ This does not mean that PHP prevents SQL injection. The book talks about how to use changing the encoding of the injection statement to bypass escaping, such as converting the SQL statement into ascii encoding (similar: char (100,58,92,108,111,99,97,108,104,111,115,116...) format), or converted to hexadecimal encoding, or even other forms of encoding. In this way, the escape filtering is bypassed, so how to prevent it:

a. Open magic_quotes_gpc or use addslashes() function In the new version of PHP, even if magic_quotes_gpc is turned on, there will be no conflict when using the addslashes() function. However, in order to better achieve version compatibility, it is recommended to check the magic_quotes_gpc status before using the transfer function, or turn it off directly. code show as below: PHP code to prevent SQL injection

  1. //Remove escape characters
  2. function stripslashes_array($array) {
  3. if (is_array($array)) {
  4. foreach ($array as $k => $v) {
  5. $array[$ k] = stripslashes_array($v);
  6. }
  7. } else if (is_string($array)) {
  8. $array = stripslashes($array);
  9. }
  10. return $array;
  11. }
  12. @set_magic_quotes_runtime(0);
  13. // Determine magic_quotes_gpc status
  14. if (@get_magic_quotes_gpc()) {
  15. $_get = stripslashes_array($_get);
  16. $_post = stripslashes_array($_post);
  17. $_cookie = stripslashes_array($_cookie);
  18. }
Copy the code

Remove the escaping of magic_quotes_gpc and then use the addslashes function. The code is as follows: PHP code to prevent SQL injection

  1. $keywords = addslashes($keywords);
  2. $keywords = str_replace("_","_",$keywords);//Escape "_"
  3. $keywords = str_replace("%" ,"%",$keywords);//Escape "%"
Copy code

The purpose of the last two str_replace replacement escapes is to prevent hackers from converting sql encoding for attacks.

b. Force character format (type) Many times we need to use URLs like xxx.php?id=xxx. Generally speaking, $id is an integer variable. In order to prevent attackers from tampering with $id into attack statements, we must try to force the variable. The code is as follows : PHP code to prevent SQL injection $id=intval($_get['id']); Of course, there are other variable types, try to force the format if necessary.

c. The sql statement contains variables in quotation marks This is very simple, but it is also easy to form a habit. Let's take a look at these two SQL statements first:

  1. select * from article where articleid='$id'
  2. select * from article where articleid=$id
Copy code

Both writing methods are common in various programs, but they are not safe are different. The first sentence puts the variable $id in a pair of single quotes, which turns the variables we submitted into strings. Even if it contains the correct SQL statement, it will not be executed normally, while the second sentence will not be executed normally. The two sentences are different. Since the variables are not put in single quotes, as long as everything we submit contains spaces, the variables after the spaces will be executed as SQL statements. Therefore, we must develop the habit of adding quotes to the variables in SQL statements. Habit.

d.url pseudo-static URL pseudo-static is also a URL rewriting technology, like discuz! Similarly, it is a good idea to rewrite all URLs into a format similar to xxx-xxx-x.html, which is beneficial to SEO and achieves a certain level of security. But in order to prevent SQL injection in PHP, the premise is that you must have a certain "regular" foundation.



source:php.cn
Statement of this Website
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn
Popular Tutorials
More>
Latest Downloads
More>
Web Effects
Website Source Code
Website Materials
Front End Template