Shulou(Shulou.com)06/03 Report--

This article introduces the relevant knowledge of "how to understand the principle of php anti-injection and development security". In the operation of actual cases, many people will encounter such a dilemma, so let the editor lead you to learn how to deal with these situations. I hope you can read it carefully and be able to achieve something!

1. The basic principle of PHP injection

The level and experience of programmers are also uneven, a considerable number of programmers do not judge the legitimacy of user input data when writing code, so that the application has security risks. A user can submit a database query code and get some data he wants to know according to the results returned by the program. This is the so-called SQL Injection, or SQL injection. Affected system: a system that does not check and filter input parameters.

SQL injection process

Normally, we receive some necessary parameters by address, such as:

On the page, we will use 2 to write to the SQL statement

Normal situation: Select * From Table where id=2

PHP100.php?id=2

If we are familiar with the SQL statement, we know that 2 we can replace it with the SQL statement we need

Such as: and exists (select id from admin)

2. Several methods to prevent injection

In fact, it turns out that we need to filter some of our common keywords and match such as:

Select,insert,update,delete,and,*, wait.

Example:

The copy code is as follows:

Function inject_check ($sql_str) {

Return preg_match ('/ select | insert | update | delete | /'| / / * | / * | /. / / | union | into | load_file | outfile/i', $sql_str); / / filter

}

Or filter special symbols through system functions.

Addslashes (content that needs to be filtered)

3. PHP security settings in other places

Register_globals = Off is set to off

Try not to omit small quotation marks and single quotation marks when writing SQL statements

The copy code is as follows:

Select * From Table Where id=2 (not standard)

Select * From Table Where id ='2' (specification)

Improve database naming skills. Some important fields can be named according to the characteristics of the program.

Encapsulate common methods to avoid exposing SQL statements directly

Accept parameters such as $_ POST $_ GET $_ SESSION correctly and filter them

This is the end of the content of "how to understand the principles of php Anti-injection and Development Security". Thank you for reading. If you want to know more about the industry, you can follow the website, the editor will output more high-quality practical articles for you!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.