PHP anti-sql injection method

藏色散人
Release: 2023-03-06 21:58:02
Original
11966 people have browsed it

php methods to prevent SQL injection: 1. Use the mysql_real_escape_string method to escape special characters in the string used in SQL statements; 2. Turn on magic_quotes_gpc to prevent SQL injection; 3. Prevent SQL injection through custom functions .

PHP anti-sql injection method

Recommended: "PHP Video Tutorial"

PHP Mysql method to prevent SQL injection

This article introduces the method of preventing SQL injection in PHP Mysql:

Method 1:

mysql_real_escape_string -- Escape the string used in the SQL statement special characters, taking into account the current character set of the connection!

$sql = "select count(*) as ctr from users where username
='".mysql_real_escape_string($username)."' and
password='". mysql_real_escape_string($pw)."' limit 1";
Copy after login

Method 2:

Open magic_quotes_gpc to prevent SQL injection. There is a setting in php.ini: magic_quotes_gpc = Off. This is turned off by default. If it is turned on, it will automatically convert user-submitted SQL queries, such as converting ' to \', etc., which plays a major role in preventing SQL injection.

If magic_quotes_gpc=Off, use the addslashes() function.

Method 3:

Custom function

/**
* 防止sql注入自定义方法一
* author: xiaochuan
* @param: mixed $value 参数值
*/ 
function check_param($value=null) { 
        #  select|insert|update|delete|\'|\/\*|\*|\.\.\/|\.\/|union|into|load_file|outfile
    $str = 'select|insert|and|or|update|delete|\'|\/\*|\*|\.\.\/|\.\/|union|into|load_file|outfile';
  
    if(!$value) {
  
        exit('没有参数!'); 
  
    }elseif(eregi($str, $value)) { 
  
        exit('参数非法!');
  
    }
  
    return true; 
} 
   
  
  
  
  
  
  
/**
* 防止sql注入自定义方法二
* author: xiaochuan
* @param: mixed $value 参数值
*/
function str_check( $value ) { 
  
    if(!get_magic_quotes_gpc()) { 
  
        // 进行过滤 
        $value = addslashes($value); 
  
    } 
  
    $value = str_replace("_", "\_", $value); 
  
    $value = str_replace("%", "\%", $value); 
       
   return $value; 
} 
   
  
  
  
  
  
/**
* 防止sql注入自定义方法三
* author: xiaochuan
* @param: mixed $value 参数值
*/
function post_check($value) { 
  
    if(!get_magic_quotes_gpc()) {
  
        // 进行过滤  
        $value = addslashes($value);
  
    } 
  
    $value = str_replace("_", "\_", $value); 
  
    $value = str_replace("%", "\%", $value); 
  
    $value = nl2br($value); 
  
    $value = htmlspecialchars($value); 
  
    return $value; 
}
Copy after login

The above is the details of how to prevent SQL injection in PHP Mysql

The above is the detailed content of PHP anti-sql injection method. For more information, please follow other related articles on the PHP Chinese website!

Related labels:
source:php.cn
Statement of this Website
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn
Popular Tutorials
More>
Latest Downloads
More>
Web Effects
Website Source Code
Website Materials
Front End Template
About us Disclaimer Sitemap
php.cn:Public welfare online PHP training,Help PHP learners grow quickly!