(1) mysql_real_escape_string -- Escape special characters in strings used in SQL statements, taking into account the current character set of the connection Used as follows:
?
|
1
2
3
|
$sql= "select count(*)
asctr from users where username
='".mysql_real_escape_string($username)."'and
password='".
mysql_real_escape_string($pw)."'limit 1";
|
Use
mysql_real_escape_string()
as a wrapper around user input to avoid any malicious SQL injection in user input.
(2) Turn on magic_quotes_gpc to prevent SQL injection
There is a setting in php.ini: magic_quotes_gpc = Off
This is turned off by default. If it is turned on, it will automatically convert the SQL query submitted by the user,
For example, converting ' to ', etc., plays a significant role in preventing sql injection.
If magic_quotes_gpc=Off, use the addslashes() function
(3) Custom function
?
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
|
function inject_check($sql_str)
{
returneregi('select|insert|and|or|update|delete|'|/*|*|../|./|union|into|load_file|outfile ',
$sql_str);
}
functionverify_id($id=null)
{
if(!$id)
{
}
elseif
(inject_check($id))
{
elseif(!
is_numeric($id))
{
}
$id= intval(
$id);
return$id;
}
functionstr_check( $str) {
if
(!get_magic_quotes_gpc())
{$ $ Str = Addslashhes (
$ Str);
//
Filter }
$str= str_replace
("_",
"_",
$str);
$str= str_replace
("%",
"%",
$str);
return
$str;
}
functionpost_check($post)
{ if
(!get_magic_quotes_gpc())
{
$post=
str_replace(
"_",
"_",
$post
);
$post
= str_replace("%",
"%",
$post
);
$post= nl2br($post);
$post= htmlspecialchars($post);
}
The above has introduced the most complete method to prevent SQL injection, including all aspects. I hope it will be helpful to friends who are interested in PHP tutorials.
|
![[Web front-end] Node.js quick start](https://img.php.cn/upload/course/000/000/067/662b5d34ba7c0227.png)
