(1) mysql_real_escape_string -- Escape special characters in strings used in SQL statements, taking into account the current character set of the connection Used as follows:
?
1
2
3
|
$sql = "select count (*)
as ctr from users where username
= '".mysql_real_escape_string($username)."' and
password= '".
mysql_real_escape_string($pw)."' limit 1";
|
Use
mysql_real_escape_string()
as a wrapper around user input to avoid any malicious SQL injection in user input.
(2) Turn on magic_quotes_gpc to prevent SQL injection
There is a setting in php.ini: magic_quotes_gpc = Off
This is turned off by default. If it is turned on, it will automatically convert the SQL query submitted by the user,
For example, converting ' to ', etc., plays a significant role in preventing sql injection.
If magic_quotes_gpc=Off, use the addslashes() function
(3) Custom function
?
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
|
function inject_check( $sql_str )
{
return eregi ( 'select|insert|and|or|update|delete|'|/*|*|../|./|union|into|load_file|outfile ' ,
$sql_str );
}
function verify_id( $id =null)
{
if (! $id )
{
}
elseif (inject_check($id ))
{
elseif (! is_numeric( $id ))
{
}
$id = intval ( $id);
return$id ;
}
function str_check( $str ) {
if (!get_magic_quotes_gpc())
{$ $ Str = Addslashhes ( $ Str);
//
Filter
}
$str = str_replace ("_" ,
"_" ,
$str );
$str= str_replace ("%" ,
"%" ,
$str );
return $str;
}
function post_check( $post )
{
if (!get_magic_quotes_gpc())
{
$post = str_replace( "_",
"_" ,
$post );
$post = str_replace ( "%" ,
"%" ,
$post );
$post= nl2br ( $post );
$post = htmlspecialchars( $post );
}
The above has introduced the most complete method to prevent SQL injection, including all aspects. I hope it will be helpful to friends who are interested in PHP tutorials.
|