Shulou(Shulou.com)06/03 Report--

This article mainly shows you "PHP how to prevent SQL injection", the content is easy to understand, clear, hope to help you solve your doubts, the following let the editor lead you to study and learn "PHP how to prevent SQL injection" this article.

When it comes to website security, we have to mention SQL injection (SQL Injection). If you have used ASP, you must have a deep understanding of SQL injection. The security of PHP is relatively high, because sub-statements are not supported in versions below MYSQL4, and when the magic_quotes_gpc in php.ini is On.

All'(single quotation marks), "(double quotes),\ (backslash) and null characters in the submitted variable are automatically converted to escape characters with backslashes, which brings a lot of trouble to SQL injection.

Please see clearly: "trouble" ~ this does not mean that PHP prevents SQL injection. The book talks about ways to bypass escaping by changing the code of injected statements, such as converting SQL statements into ASCII codes (similar to: char (100108104111115116 …) This format, or convert to hexadecimal coding, or even other forms of encoding, so that escape filtering is bypassed, so how to prevent it:

A. Open magic_quotes_gpc or use the addslashes () function

In the new version of PHP, even if magic_quotes_gpc is opened and the addslashes () function is used, there will be no conflict. However, for better version compatibility, it is recommended to check the magic_quotes_gpc status before using the transfer function, or turn it off directly. The code is as follows:

Code that PHP protects against SQL injection

The copy code is as follows:

/ / remove escape characters

Function stripslashes_array ($array) {

If (is_array ($array)) {

Foreach ($array as $k = > $v) {

$array [$k] = stripslashes_array ($v)

}

} else if (is_string ($array)) {

$array = stripslashes ($array)

}

Return $array

}

@ set_magic_quotes_runtime (0)

/ / determine the status of magic_quotes_gpc

If (@ get_magic_quotes_gpc ()) {

$_ GET = stripslashes_array ($_ GET)

$_ POST = stripslashes_array ($_ POST)

$_ COOKIE = stripslashes_array ($_ COOKIE)

}

Remove the escape of magic_quotes_gpc before using the addslashes function, the code is as follows:

Code that PHP protects against SQL injection

The copy code is as follows:

$keywords = addslashes ($keywords)

$keywords = str_replace ("_", "\ _", $keywords); / / escape "_"

$keywords = str_replace ("%", "\%", $keywords); / / escaped "%"

The last two str_replace substitution escapes are designed to prevent hackers from converting SQL codes for attacks.

B. mandatory character format (type)

In many cases, we need to use URL like xxx.php?id=xxx. Generally speaking, $id is an integer variable. In order to prevent attackers from tampering with $id into attack statements, we should try to force variables as follows:

Code that PHP protects against SQL injection

$id=intval ($_ GET ['id'])

Of course, there are other variable types, so try to force the format if necessary.

C. the SQL statement contains variables in quotation marks

This is simple, but it's also easy to get used to. Let's take a look at these two SQL statements:

SQL code

The copy code is as follows:

SELECT * FROM article WHERE articleid='$id'

SELECT * FROM article WHERE articleid=$id

The two writing methods are common in all kinds of programs, but the security is different. In the first sentence, because we put the variable $id in a pair of single quotation marks, all the variables we submitted become strings, and even if the correct SQL statement is included, it will not be executed normally, while the second sentence is different. Because we do not put the variable in single quotation marks, everything we submit, as long as it contains spaces. Variables after that space will be executed as SQL statements, so we should get into the habit of putting quotation marks on variables in SQL statements.

D.URL pseudo-static

URL pseudo-static, that is, URL rewriting techniques, such as Discuz! Similarly, it is a good idea to rewrite all URL into a similar xxx-xxx-x.html format, which is not only beneficial to SEO, but also achieves a certain degree of security. But in order to achieve PHP protection against SQL injection, you must have a certain "regular" basis.

The above is all the contents of the article "how to prevent SQL injection from PHP". Thank you for reading! I believe we all have a certain understanding, hope to share the content to help you, if you want to learn more knowledge, welcome to follow the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.