Summary and analysis of PHP anti-sql injection methods

SQL injection is a problem that everyone often considers in program development. Let me analyze the common SQL injection prevention codes. Friends in need can refer to it.

1. Basic principles of PHP submission data filtering

1) When submitting variables into the database, we must use addslashes() for filtering. For example, our injection problem can be solved with just one addslashes(). In fact, when it comes to variable values, the intval() function is also a good choice for filtering strings.

2) Enable magic_quotes_gpc and magic_quotes_runtime in php.ini. magic_quotes_gpc can change the quotation marks in get, post, and cookie into slashes. magic_quotes_runtime can play a formatting role in data entering and exiting the database. In fact, this parameter has been very popular since the old days when injection was crazy.

The code is as follows

Copy code

代码如下

复制代码

if ( isset($_POST["f_login"] ) )
{
// 连接数据库...
// ...代码略...

// 检查用户是否存在
$t_strUname = $_POST["f_uname"];
$t_strPwd = $_POST["f_pwd"];
$t_strSQL = "SELECT * FROM tbl_users WHERE username='$t_strUname' AND password = '$t_strPwd' LIMIT 0,1";

if ( $t_hRes = mysql_query($t_strSQL) )
{
// 成功查询之后的处理. 略...
}
}
?>

sample test

if ( isset($_POST["f_login"] ) )
{

// Connect to database...

// ...The code is abbreviated...

代码如下	复制代码
$new = htmlspecialchars("Test", ENT_QUOTES); strip_tags($text,);

// Check if the user exists

$t_strUname = $_POST["f_uname"];

$t_strPwd = $_POST["f_pwd"];

$t_strSQL = "SELECT * FROM tbl_users WHERE username='$t_strUname' AND password = '$t_strPwd' LIMIT 0,1";

if ( $t_hRes = mysql_query($t_strSQL) )
{
// Processing after successful query. Omitted...

}

sample test

3) When using system functions, you must use escapeshellarg() and escapeshellcmd() parameters to filter, so that you can use system functions with confidence. 4) For cross-site, both parameters of strip_tags() and htmlspecialchars() are good. All tags with html and php submitted by users will be converted. For example, angle brackets "<" will be converted into harmless characters such as "<". <🎜>

The code is as follows

Copy code

$new = htmlspecialchars("Test", ENT_QUOTES); strip_tags($text,); 5) Regarding the filtering of related functions, just like the previous include(), unlink, fopen(), etc., as long as you specify the variables you want to perform the operation or strictly filter the related characters, I think this will be enough. Impeccable. 2. Simple data filtering with PHP 1) Storage: trim($str),addslashes($str) 2) Deposit: stripslashes($str) 3) Display: htmlspecialchars(nl2br($str)) 1. Types of injection attacks There may be many different types of attack motivations, but at first glance, it appears that there are many more. This is very true - if a malicious user finds a way to perform multiple queries. We will discuss this in detail later in this article. Such as If your script is executing a SELECT instruction, an attacker can force the display of every row in a table by injecting a condition such as "1=1" into the WHERE clause, as shown below (where, Injected parts are shown in bold):

The code is as follows	Copy code
SELECT * FROM wines WHERE variety = 'lagrein' OR 1=1;'

As we discussed earlier, this can be useful information in itself, as it reveals the general structure of the table (something a plain record wouldn't), as well as potentially showing the data containing confidential information. Record.
An updated directive potentially poses a more immediate threat. By placing other attributes in the SET clause, an attacker can modify any field in the currently updated record, such as the following example (in which the injected part is shown in bold):

The code is as follows

Copy code

代码如下	复制代码
UPDATE wines SET type='red'，'vintage'='9999' WHERE variety = 'lagrein'

UPDATE wines SET type='red', 'vintage'='9999' WHERE variety = 'lagrein'

By adding a constant true condition such as 1=1 to the WHERE clause of an update instruction, the scope of this modification can be extended to each record, such as the following example (where the injection part is shown in bold ):

代码如下	复制代码
UPDATE wines SET type='red'，'vintage'='9999 WHERE variety = 'lagrein' OR 1=1;'

The code is as follows	Copy code
UPDATE wines SET type='red', 'vintage'='9999 WHERE variety = 'lagrein' OR 1=1;'

Probably the most dangerous instruction is DELETE - it's not hard to imagine. The injection technique is the same as we've already seen - extending the scope of affected records by modifying the WHERE clause, as in the example below (where the injection part is in bold):

代码如下	复制代码
DELETE FROM wines WHERE variety = 'lagrein' OR 1=1;'

2. Multiple query injection

Multiple query injections will exacerbate the potential damage an attacker can cause - by allowing multiple destructive instructions to be included in a single query. When using the MySQL database, an attacker can easily achieve this by inserting an unexpected terminator into the query - an injected quote (single or double) marks the end of the expected variable; Then terminate the directive with a semicolon. Now, an additional attack command may be added to the end of the now terminated original command. The final destructive query might look like this:

代码如下	复制代码
SELECT * FROM wines WHERE variety = 'lagrein'; GRANT ALL ON . TO 'BadGuy@%' IDENTIFIED BY 'gotcha';'

The code is as follows:

The code is as follows	Copy code
SELECT * FROM wines WHERE variety = 'lagrein'; GRANT ALL ON . TO 'BadGuy@%' IDENTIFIED BY 'gotcha';'

This injection will create a new user BadGuy and give it network privileges (all privileges on all tables); there is also an "ominous" password added to this simple SELECT statement. If you followed our advice in the previous article and strictly limited the privileges of the process user, then this should not work because the web server daemon no longer has the GRANT privileges that you revoked. But in theory, such an attack could give BadGuy free rein to do whatever he wants with your database.

I will share one I wrote below

} function phpsql_post($str){

The code is as follows

代码如下

复制代码

Copy code

function phpsql_show($str){

$str = stripslashes($str);
$str = str_replace("\", "", $str);
$str = str_replace("/", "/", $str);

$str = str_replace(" ", " ", $str);

$str = str_replace(",", ",", $str);

return $str;

$str = stripslashes($str); $str = str_replace("|", "|", $str);

$str = str_replace("<", "<", $str);

Related labels：

php sql analyze exist Summarize method yes injection of Program development question

source：php.cn

Previous article：Summary of how to use php eval function_PHP tutorial Next article：PHP filters special characters in form submission (anti-injection)_PHP tutorial

Statement of this Website

The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn