Home>Article>Backend Development> PHP anti-sql injection principle
SQL injection: By inserting SQL commands into Web form submissions or entering query strings for domain names or page requests, it ultimately deceives the server into executing malicious SQL commands.
# Prepared statements are very useful for SQL injection, because different protocols are used after the parameter values are sent, ensuring the legitimacy of the data. Preprocessing is seen as a compiled template of the SQL you want to run, which can be customized using variable parameters. (Recommended learning:PHP video tutorial)
Defense method one
##mysql_real_escape_string – Escape the string used in the SQL statement special characters, taking into account the connection's current character set!
$sql = "select count(*) as ctr from users where username ='".mysql_real_escape_string($username)."' and password='". mysql_real_escape_string($pw)."' limit 1";
Method 2:
Open magic_quotes_gpc to prevent SQL injection. There is a setting in php.ini: magic_quotes_gpc = Off. This is turned off by default. If it is turned on, it will automatically convert user-submitted queries to sql, such as converting ' to ', etc., to prevent sql Injections make all the difference. If magic_quotes_gpc=Off, use the addslashes() function.Method 3:
Custom functionfunction check_param($value=null) { #select|insert|update|delete|\'|\/\*|\*|\.\.\/|\.\/|union|into|load_file|outfile $str = 'select|insert|and|or|update|delete|\'|\/\*|\*|\.\.\/|\.\/|union|into|load_file|outfile'; if(!$value) { exit('没有参数!'); }elseif(eregi($str, $value)) { exit('参数非法!'); } return true; } function str_check( $value ) { if(!get_magic_quotes_gpc()) { // 进行过滤 $value = addslashes($value); } $value = str_replace("_", "\_", $value); $value = str_replace("%", "\%", $value); return $value; } function post_check($value) { if(!get_magic_quotes_gpc()) { // 进行过滤 $value = addslashes($value); } $value = str_replace("_", "\_", $value); $value = str_replace("%", "\%", $value); $value = nl2br($value); $value = htmlspecialchars($value); return $value; }
The above is the detailed content of PHP anti-sql injection principle. For more information, please follow other related articles on the PHP Chinese website!