PHP anti-sql injection method-PHP Problem-php.cn

PHP anti-sql injection method

藏色散人

Release： 2023-03-06 21:58:02

Original

11949 people have browsed it

php methods to prevent SQL injection: 1. Use the mysql_real_escape_string method to escape special characters in the string used in SQL statements; 2. Turn on magic_quotes_gpc to prevent SQL injection; 3. Prevent SQL injection through custom functions .

PHP anti-sql injection method

Recommended: "PHP Video Tutorial"

PHP Mysql method to prevent SQL injection

This article introduces the method of preventing SQL injection in PHP Mysql:

Method 1:

mysql_real_escape_string -- Escape the string used in the SQL statement special characters, taking into account the current character set of the connection!

$sql = "select count(*) as ctr from users where username
=&#39;".mysql_real_escape_string($username)."&#39; and
password=&#39;". mysql_real_escape_string($pw)."&#39; limit 1";

Copy after login

Method 2:

Open magic_quotes_gpc to prevent SQL injection. There is a setting in php.ini: magic_quotes_gpc = Off. This is turned off by default. If it is turned on, it will automatically convert user-submitted SQL queries, such as converting ' to \', etc., which plays a major role in preventing SQL injection.

If magic_quotes_gpc=Off, use the addslashes() function.

Method 3:

Custom function

/**
* 防止sql注入自定义方法一
* author: xiaochuan
* @param: mixed $value 参数值
*/ 
function check_param($value=null) { 
        #  select|insert|update|delete|\&#39;|\/\*|\*|\.\.\/|\.\/|union|into|load_file|outfile
    $str = &#39;select|insert|and|or|update|delete|\&#39;|\/\*|\*|\.\.\/|\.\/|union|into|load_file|outfile&#39;;
  
    if(!$value) {
  
        exit(&#39;没有参数！&#39;); 
  
    }elseif(eregi($str, $value)) { 
  
        exit(&#39;参数非法！&#39;);
  
    }
  
    return true; 
} 
   
  
  
  
  
  
  
/**
* 防止sql注入自定义方法二
* author: xiaochuan
* @param: mixed $value 参数值
*/
function str_check( $value ) { 
  
    if(!get_magic_quotes_gpc()) { 
  
        // 进行过滤 
        $value = addslashes($value); 
  
    } 
  
    $value = str_replace("_", "\_", $value); 
  
    $value = str_replace("%", "\%", $value); 
       
   return $value; 
} 
   
  
  
  
  
  
/**
* 防止sql注入自定义方法三
* author: xiaochuan
* @param: mixed $value 参数值
*/
function post_check($value) { 
  
    if(!get_magic_quotes_gpc()) {
  
        // 进行过滤  
        $value = addslashes($value);
  
    } 
  
    $value = str_replace("_", "\_", $value); 
  
    $value = str_replace("%", "\%", $value); 
  
    $value = nl2br($value); 
  
    $value = htmlspecialchars($value); 
  
    return $value; 
}

Copy after login

The above is the details of how to prevent SQL injection in PHP Mysql

The above is the detailed content of PHP anti-sql injection method. For more information, please follow other related articles on the PHP Chinese website!