The most complete way to prevent SQL injection-PHP Tutorial-php.cn

The most complete way to prevent SQL injection

WBOY

Release： 2016-07-29 08:56:11

Original

1469 people have browsed it

(1) mysql_real_escape_string -- Escape special characters in strings used in SQL statements, taking into account the current character set of the connection

Used as follows:

$sql= "select count(*)asctr from users where username

='".mysql_real_escape_string($username)."'and

password='". mysql_real_escape_string($pw)."'limit 1";

Use

mysql_real_escape_string()

as a wrapper around user input to avoid any malicious SQL injection in user input.

(2) Turn on magic_quotes_gpc to prevent SQL injection

There is a setting in php.ini: magic_quotes_gpc = Off

　 This is turned off by default. If it is turned on, it will automatically convert the SQL query submitted by the user,

For example, converting ' to ', etc., plays a significant role in preventing sql injection.

If magic_quotes_gpc=Off, use the addslashes() function

(3) Custom function

function inject_check($sql_str) {

returneregi('select|insert|and|or|update|delete|'|/*|*|../|./|union|into|load_file|outfile ',$sql_str);

}

functionverify_id($id=null) {

if(!$id) {

}elseif

(inject_check(

$id)) { elseif(!

is_numeric

($id)) {

} $id= intval(

$id

);

return

$id;

}functionstr_check( $str) {

if

(!get_magic_quotes_gpc()) {$

$ Str = Addslashhes (

$ Str

);

// Filter

}

$str= str_replace

(

"_","_",$str);

$str

= str_replace

(

"%","%",$str); return

$str

;}functionpost_check($post) { if

(!get_magic_quotes_gpc()) {

$post=

str_replace

(

"_"

,"_",$post

);

$post

str_replace("%","%",$post

);

$post

= nl2br($post); $post= htmlspecialchars($post);

}

The above has introduced the most complete method to prevent SQL injection, including all aspects. I hope it will be helpful to friends who are interested in PHP tutorials.